Check Content:Windows XP - Verify that ISM.DLL is at version 5.0.2195.2363

Check Content:Cisco - Cisco PIX running versions up to and including 4.2(5), 4.4(4), 5.0(3), and 5.1(1) that provide access to FTP services.

Check Content:UNIX - If a web browser is installed, view the advanced options and ensure to disable any scripting such as javascript. Web server software such as Apache and the Sun Java web server and associated web pages should be reviewed for dynamic content that may become vulnerable to malicious scripting by the web server administrator and web site developers.

to look for the presence of a Kerberos 5 configuration file on the system. If the file is found, look for the presence of the default domain and v4_instance_convert configuration variables in the [realms] section of the file. If these two variables are present and configured then this is a finding as Kerberos is working in Version IV compatibility mode. If /etc/krb4.conf exists this is also a finding without the applied patches. Upgrade to version 5-1.0.X and apply the patch provided by MIT. Only the patches for the krb_rd_req() vulnerability need to be applied to version 4 to address the issues described in this advisory.

Check Content:Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: DisableFix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS

Perform procedures in Appendix F, Patch Control, to check for the following patches:

Debian
nfs-common_0.1.9.1-1.deb

Redhat
nfs-utils-0.1.9.1-1.i386.rpm

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: Affected Systems: Redhat Linux (Manual) - Affected Systems: Redhat Linux systems running the rpc.statd service Do one or more of the following: (1) Install the appropriate vendor patches; (2) Upgrade to the newest version of rpc.statd, (OS dependent) (3) Disable the rpc.statd daemon. Proceed with caution--disabling this process will interfere with NFS file sharing functions. (4) Block unneeded ports at your firewall. This will not remedy the rpc.statd vulnerability but prevents outsiders from exploiting it. Recommend blocking Port 111 and the port that rpc.statd is running on, which varies by OS. Vendor patch information is provided below in the attached CERT/CC advisory. If neither an upgrade nor a patch can be applied, the DOD CERT recommends disabling all vulnerable rpc.statd services. While disabling rpc.statd functionality or blocking the associated ports minimizes exposure to the vulnerability, neither is a complete solution and may not mitigate against the risks involved with exposure to the rpc.statd vulnerability. An intruder or untrained user could re-enable the rpc.statd daemon later. Maintain contact with your LINUX vendor and update patches as required. Adequate defense in depth strategies will mitigate risk further--block 111 with a router or firewall in addition to patching vulnerable systems. Monitor port 111 network traffic very closely. Add host monitoring software on critical systems. Report unusual activity through your CND Service Provider. Affected Operating Systems and Patch Information: Debian: http://www.debian.org/security/2000/20000719a RedHat: http://www.redhat.com/support/errata/RHSA-2000-043-03.html
_____________________________________________________________

Check Content: To examine the version number of named perform the following command:
#
find / -name named
#
find / -name in.named

After determining the binary is not a trojan, perform the following as an non-privileged user:
# what in.named/named | grep –i version
#
strings in.named/named | grep –i version
#
named –v
#
named –d0

Users of BIND 4.9.x or 8.2.2 must upgrade to BIND 8.2.3 or later, or BIND 9.1 or later. Because BIND 4 is no longer actively maintained, users must upgrade to either BIND 8.2.3 or later, or BIND 9.1 or later

Check Content:Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.

Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS
_____________________________________________________________

Check Content:Use the following steps to determine the version number:

1. Navigate to the following directory: server-root/bin/https/bin

2. After determining the binary is not a trojan, run the ns-httpd program as a non-privileged user with the "-v" parameter.
#
./ns-httpd –v

Check Content:Ensure the iPlanet Web Server has been upgraded to version 4.1sp7 or later.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
_____________________________________________________________

Check Content:To determine the version of snort, after determining the binary is not a trojan, issue the following command as a non-privileged user:

# snort -V

If the version of snort is not at least 1.8.1, this is a finding.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: NetRanger replaced with Cisco Secure IDS (upgrade to new hardware and software) & Cisco Catalyst 6000 IDS Is EOL (end of life as of 2003)
_____________________________________________________________

Check Content:Vulnerable systems are: Caldera thru 3.1, Cobalt QUBE 1.0, Connectiva thru 7.0,Debian thru 2.2, Mandrake thru 8.1, Red Hat thru 7.2, SuSE thru 7.3, immunix thru 7.0, and any other system using WU-FTPD or derivatives of it. To correct the vulnerability, upgrade to the latest version from the vendor or from Washington University. Version 2.6.2 will be the target version. To find the version of the installed daemon, perform strings /usr/sbin/in.ftpd | grep –I version or log into the server using the ftp command, and, when connected, use the ver command to illicit the version from the daemon. If the version displayed shows something similar the following: Version 2.6.0per2(1) followed by a date, it is wu-ftpd. The version must be 2.6.2, or greater, or this is a finding. Wu-ftpd is found, primarily, on Linux systems and the IAVA is specific to Linux.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
_____________________________________________________________

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Apply the applicable patch or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Apply the applicable patch or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.
_____________________________________________________________

#
telnet localhost 22 Or
#
strings (ssh or sshd) | grep –I versionOr after determining the binary is not a trojan, perform the following as a non-privileged user:
# ssh –V

Upgrade to OpenSSH 3.0.2 or later.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
_____________________________________________________________

Check Content:This check only applies to SSH by Communications Security.To get the version, perform the following command:

#
telnet localhost 22 Or
#
strings (ssh or sshd) | grep –i versionOr

Upgrade to SSH Secure Shell 3.0.1 or later.

.

Check Content:Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.

Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS
_____________________________________________________________

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
_____________________________________________________________

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Apply the applicable patch, upgrade to, at the least, the required software release, or remove the binary to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
_____________________________________________________________

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: Upgrade to version 8.12.9 or o (Manual) - Upgrade to version 8.12.9 or obtain vendor patches that address the vulnerability.
_____________________________________________________________

HP-UX
B.10.20
PHCO_26158 or PHCO_31920B.10.24
PHCO_27882 or PHNE_30377 or PHNE_30660 or PHNE_31096B.11.00P
PHNE_28567 or PHNE_28982 or PHNE_29210 or PHNE_29785 or PHNE_29882 or PHNE_30377 or PHNE_30660 or PHNE_31096B.11.11
PHNE_28568 or PHNE_28983 or PHNE_29211 or PHNE_29783 or PHNE_29883 or PHNE_30378 or PHNE_30380 or PHNE_30661

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: -
Apply the applicable patch or remove the binary/application to remediate this finding.-
Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.
_____________________________________________________________

Check Content:If Secure Shell is running, verify it is OpenSSH. If it is OpenSSH, check the version by locating the ssh command and after determining the binary is not a trojan, perform the following command as a non-privileged user:

#
./ssh -V

Sun versions:
OpenSSH:

1.0
3.1.6
1.0.1
3.7.1
1.0.2
3.9p1

The command will return the version. If it is less than 3.7.1, this is a finding.

Fix Text: Upgrade to OpenSSH version 3.7 (Manual) - Upgrade to OpenSSH version 3.7.1, at a minimum, or install patches furnished by OpenSSH.org.
_____________________________________________________________

Check Content:First, determine if the system is running rsyncd by performing:

#
netstat –a | egrep “843|rsync”

If rsync is running on the system then:

# grep chroot /etc/rsyncd.conf

If it is not there, or it is set to no, this is a finding. Obtain patches from the vendor in accordance with the IAVA.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)Fix Text: Do not use unnecessary network (Manual) - Do not use unnecessary network services. If rsync must be used, ensure the latest vendor patches have been applied. If the rsync daemon is used, in addition to installing the latest vendor patches, ensure it is run in a chrooted environment by including the entry use chroot=yes in the rsyncd.conf file.
_____________________________________________________________

System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0 and FP1 must upgrade to the latest non-vulnerable version provided below:http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html

Check Content:N/A - Checkpoint - request sent to JTF to have removed in VMS

Fix Text: N/A - Checkpoint - request sent to JTF to have removed in VMS

Fix Text: HTTP: System Administrators w (Manual) - HTTP: System Administrators who use the HTTP Security Servers of Check Point Firewall-1 must download and apply the following update: http://www.checkpoint.com/techsupport/downloads/bin/firewall1/security_server_hotfix_cpsc.zip VPN-1: System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0 and FP1 must upgrade to the latest non-vulnerable version provided below: http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
_____________________________________________________________

Check Content:Check that the Oracle9i Lite has been updated to version 5.0.2.10.0 or higher.

Check Content:Use the Oracle opatch utility to list the installed patches with the opatch lsinventory - detail command. Patch 3369291 must be installed. If the patch is not installed, then this a finding.

Check Content:Verify that Symantec AntiVirus Corporate Edition v 8.0 is at version 8.0.1.501 or above.Verify that Symantec AntiVirus Corporate Edition v 8.1 is at version 8.1.1.366 or above.

Check Content:Ask the system administrator if any of the products listed in the vulnerable systems are installed on the system. Ask the administrator if the most current product update which is available from https://www.jtfgno.mil has been installed. This is a finding if the most recent software has not been installed.

Check Content:Verify that VASPI scan engine “VsapiNT.sys” is at version 7.501 or higher.

Check Content:Ask the system administrator if any of the Trend Micro security products are installed on the machine. If any of the products are installed, ask the system administrator if an appropriate vendor patch has been installed as identified at https://www.jtfgno.mil. If the specific patch listed in the IAVA has not been installed, then this is a finding.

Check Content:To verify that the patch has been installed, check the lic98rmt.exe file is greater than 1.4.6.

Note the following default license install directories:C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC

Check Content:(Unix-Manual) The default installation directories are /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic. Run lic98version from a command prompt to print out the version number and/or write it to lic98version.log.

Or

Run strings licrmt | grep BUILD from a command prompt. The following string format will be returned: "LICAGENT BUILD INFO = /x.x.x/Apr 16 2003/17:13:35", Where x.x.x is the file version. The vulnerability exists if this file version is between v1.0.15 thru v1.4.6.

Check Content:Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.The /etc/catngcampath text file holds the CAM install locationThe version should be at least CAM 1.07 Build 220_13 or CAM 1.11 Build 29_13 depending on the installation major release number.

Vulnerability Discussion:<blockquote><p><font size="3" face="Times New Roman">VERITAS NetBackup is a network enabled high performance, network backup and restore application designed for workgroup environments.&nbsp; VERITAS NetBackup is used within the DoD to back-up servers and workstations.&nbsp; There is a new vulnerability in VERITAS NetBackup.&nbsp; The severity of this vulnerability ranges from Denial of Service (DoS) to complete system compromise.&nbsp; Successful exploit of this vulnerability would allow the intruder to execute arbitrary code on a vulnerable system potentially leading to a complete system compromise.&nbsp; VERITAS has released several patches for different versions of the affected software.</font></p><p><font size="3" face="Times New Roman">The JTF-GNO has received reports of&nbsp; increased scanning on TCP port 13772 in regards to this vulnerability.&nbsp; An exploit has been released and is known to be circulating in the wild but there have been no reported system compromises within DoD.&nbsp; Situation Awareness Report (SAR) 2005-SA-0023 has been released on the SIPRNet in regard to this vulnerability.&nbsp; This SAR contains details on additional DoD wide mitigation actions and recommendations.&nbsp;&nbsp;</font></p></blockquote>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<strong>While the only way to fully mitigate this security vulnerability is to properly patch NetBackup, there are temporary mitigations.</strong> - <div id="DETAILS0" class="bodytext"><div class="Normal"><p><font face="Times New Roman">It is strongly recommended that System Administrators review their requirements for the use of port 13772 across their network and enclave boundaries. If the use of this port is not operationally essential, serious consideration should be given to blocking this port, on a temporary or permanent basis, at firewalls and/or routers. This will limit potential intruders opportunities to exploit vulnerable systems running VERITAS software. However, port blocking should only be considered an additional mitigating factor and is not a permanent substitute for the correct patching of vulnerable systems.<br><br>If the following temporary mitigations are used, it needs to be <b>WELL DOCUMENTED</b> internally to ensure all operators and administrators involved with the NetBackup systems are aware of why the workaround is in place. &nbsp;This is to prevent any administrators from inadvertently reversing the changes, leaving the unpatched machine again exposed to attack. <br><br><b>How to disable Java:</b><br>Edit the <b>services</b> file (and </font><tt><span class="FIXEDFONT"><b><font face="Times New Roman">inetd.conf</font></b></span></tt><font face="Times New Roman"><b> </b>file on UNIX machines) and re-name<b> bpjava-msvc</b> on all effected machines until change control is available and the machine can be patched. &nbsp;<br><br><i>For UNIX:</i><br>- Comment out the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> line in the<b> /etc/services </b>file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc &nbsp; &nbsp; 13722/tcp &nbsp; &nbsp; &nbsp; bpjava-msvc </font></span></tt><font face="Times New Roman"><br>- Comment out the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> line in the <b>/etc/inetd.conf</b> file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc &nbsp; &nbsp; stream &nbsp;tcp &nbsp; &nbsp; nowait &nbsp;root &nbsp; /usr/openv/netbackup/bin/bpjava-msvc bpjava-msvc -transient </font></span></tt><font face="Times New Roman"><br>- Rename </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> to </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.vulnerable </font></span></tt><font face="Times New Roman">or delete </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman">. <br>- Finally, restart the<b> inetd</b> daemon<br><br><i>For Windows:</i><br>- Rename </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe</font></span></tt><font face="Times New Roman"> to </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe.vulnerable</font></span></tt><font face="Times New Roman"> or </font><tt><span class="FIXEDFONT"><font face="Times New Roman">d</font></span></tt><font face="Times New Roman">elete </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe. </font></span></tt><font face="Times New Roman"><br>- If the Remote Java Console was installed, uninstall it until such time as the machine can be patched. <br>- Comment out </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> in the <b>&lt;%SystemRoot%&gt;\system32\drivers\etc\services</b> file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc 13722/tcp</font></span></tt><font face="Times New Roman"><br>- Restart the NetBackup services. <br><br><b>PLEASE NOTE</b> -- On both Windows and UNIX servers, after disabling Java and restarting the daemons/services, confirm there are no Java sessions running, and if there are, terminate them. &nbsp;<br>&nbsp;</font></p></div><div class="Normal"><font face="Times New Roman">After implementing the above workaround, attempts to execute NetBackup Java functions on a machine utilizing this workaround will result in the following error: "NetBackup Status Code: 505<br>Message: Can not connect to the NB-Java authentication service on (host) on the configured port - (port_number).." <br><br><i>Alternative Management Utilities:</i></font></div><ul><li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">Install the NetBackup server software on Windows and administer using the Windows Administrative Console, to administer NetBackup. &nbsp;Attempts to launch the Java GUI will result in the same error message shown in workaround 2. </font></li><li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">Use the <b>bpadm</b> utility. This utility has a menu interface that an administrator can use to configure NetBackup and monitor its operations.<b> bpadm</b> requires root privileges. This interface can be used from any character-based terminal (or terminal emulation window) for which the administrator has a termcap or terminfo definition. &nbsp;Refer to the VERITAS NetBackup (tm) Commands for UNIX or Windows manuals for more information concerning this option. </font></li><li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">For customers still using releases prior to NetBackup 4.5, use the Motif administrative GUI to administer NetBackup (found in the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bin</font></span></tt><font face="Times New Roman"> directory: &nbsp;<b>/usr/openv/netbackup/bin</b> ). &nbsp;This GUI was retired in NetBackup 4.5. &nbsp;</font> </li></ul></div>

Vulnerability Discussion:
A new vulnerability has been discovered in the Computer Associates (CA) iTechnology iGateway component.
The CA iTechnology iGateway component is present in multiple Computer Associates products including BrightStor, eTrust, and Unicenter.
iTechnology is an integration technology, which provides standard web service interfaces to third-party products. The CA iTechnology
iGateway component contains a heap overflow condition, which may allow a remote intruder to execute arbitrary code with elevated
privileges. This vulnerability exists due to the applications improper handling of boundary checks. This vulnerability affects IBM AIX,
HP-UX, Linux, Solaris, and Windows platforms. If successfully exploited an intruder would be able to execute remote code on Windows
platforms or cause a DoS condition against other platforms. The JTF-GNO has not received any reported DoD incidents in regard to this
vulnerability. JTF-GNO blocks TCP port 5250

Vulnerability Discussion:Two new vulnerabilities have been identified affecting Adobe Macromedia Flash. Macromedia Flash is a widely distributed application used to create simple motion graphics, video and animation for interactive websites. This application uses plug-in technology which adds a specific feature or service to a larger system such as Macromedia Flash. There are two buffer overflow vulnerabilities that could potentially allow an intruder to execute remote code or cause a Denial of Service (DoS) condition. If remote code execution were successful, the intruder could gain full system access. These vulnerabilities require user interaction.

The JTF-GNO has not received any reports of DoD incidents in regard to these vulnerabilities. However, a public exploit is currently available. Flash Player Vulnerability CVE-2006-0024 Macromedia Flash versions 8.0.22.0 and earlier are susceptible to multiple unspecified vulnerabilities. The most likely attack vector would be via a website. An intruder would have to create a malicious SWF file that includes executable machine code and replacement memory addresses. The intruder could host this malicious file on a webserver, or send the file to a vulnerable user via email. The Flash Player would likely play the malicious SWF file automatically when the vulnerable system either opens the email or visits the website, depending to file-type associations. If successful, the intruder-supplied executable code would run in the security context of the currently logged in user. If the execution of arbitrary code was unsuccessful, a denial of service condition could occur. Flash Player Vulnerability CVE-2005-2628 A Flash plug-in is vulnerable to an input-validation error for a critical array index value that can be exploited to execute arbitrary code. The application fails to accurately validate the input on this index value (computed using fields from the SWF file), an intruder could specify a function pointer beyond the array bounds. Even though the application code places limits on the value of the index field, these limits are inefficient because the index can be offset beyond the array boundary regardless of the limit already set. An intruder would have to create a malicious SWF file with specific data fields that would result in a correct index value that masks the malicious code. The intruder would have to place shellcode and a pointer to the shellcode in a location that would appear at the correct offset from the array, in the heap memory space of the targeted process. The vulnerable system would then have to download and execute the SWF file. This process could happen automatically on many systems if users visit a website hosting the SWF file. If successful, the intruder could take complete control of the affected system. In both vulnerabilities, the intruder would have to entice the user to visit the malicious website, click on the link provided in an email, or open the attachment attached in an email to attempt to compromise a system.

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP SP2

You can help protect against this vulnerability by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP SP2 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.

1. Start Internet Explorer.

2. On the Tools menu, click Manage Add-ons.

3. Locate and click on “Shockwave Flash Object”.

4. To disable the add-on, click Disable, and then click OK.

Note: If you cannot locate the ActiveX control then use the drop-down box to switch from “Add-ons currently being used in Internet Explorer” to “Add-ons that have been used by Internet Explorer” and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround “Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer” for additional information.

For more information on the Internet Explorer Manage Add-ons feature in Windows XP SP2, see Microsoft Knowledge Base Article 883256.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer

Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

Close Internet Explorer, and reopen it for the changes to take effect.

For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.

Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer

To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:

4. Close Internet Explorer, and reopen it for the changes to take effect.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.

4. A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.

5. Close Internet Explorer, and reopen it for the changes to take effect.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

4. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.

5. Close Internet Explorer, and reopen it for the changes to take effect.

Restrict access to the Macromedia Flash folder by using a Software Restriction Policy

To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.

For more information about Group Policy, visit the following Microsoft Web sites:

• Step-by-Step Guide to Understanding the Group Policy Feature Set

• Windows 2000 Group Policy

• Group Policy in Windows Server 2003

Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.

2. Click the Security tab.

3. Click Internet, and then click Custom Level.

4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

5. Click Local intranet, and then click Custom Level.

6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

7. Click OK two times to return to Internet Explorer.

Impact: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Restrict Web sites to only your trusted Web sites.

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5. Repeat these steps for each site that you want to add to the zone.

6. Click OK two times to accept the changes and return to Internet Explorer.

Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note: If no slider is visible, click Default Level, and then move the slider to High.

Note: Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Remove the Flash Player from your system

If you want to remove Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.

To regain functionality you need install the Flash Player ActiveX control from the Adobe Web site.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Upgrade or apply a patch as specified by the vendor.Upgrade Flash Player to version 8.0.24.0 or 7.0.63.0

Verify that Flash Player has been updated to the appropriate version by checking the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\Flashplayer\CurrentVersion

Windows XP has a Microsoft Patch that can be verified by checking that the following file is at the version indicated or later: Geninst.exe - 6.0.2800.1544

Vulnerability Discussion:A new vulnerability exists in RealVNC (Virtual Network Computing). RealVNC is an application that allows users to access computers remotely. This vulnerability exists due to the application's failure to validate the proper requested authentication method provided by a remote user. This vulnerability could allow a remote intruder to gain full control of the VNC server session.

Mitigations:IAVA Set Mitigation Control

Mitigation Control: - <p>&nbsp;</p>

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows

Verify that the VNC 4.1.x has been upgraded to version 4.1.2Verify that the VNC 4.2 has been upgraded to version 4.2.3

Search for the following file and check the version number:

Winvnc4.exe

Check Content:To determine if the vnc software is installed on a UNIX perform the following command:

# find / -name vncserver -print

If the software is found, after determining the binary is not a trojan, perform the following as a non-privileged user to retrieve the version information:

# vncserver -help

This will display the version on the first line returned. If the version is not at least 4.2.3, this is a finding.

Vulnerability Discussion:<FONT size=2>A new vulnerability has been discovered in several Trend Micro AntiVirus products. The Trend Micro AntiVirus suite is widely used to provide antivirus capabilities to desktop, server, and gateway systems. This vulnerability exists due to the scan engine failing to properly validate data. This could allow an attacker to execute malicious code with elevated privileges, which could result in complete compromise of the affected system. Failed exploitation attempts could result in a Denial of Service condition. This vulnerability affects all Trend Micro products and versions <BR>utilizing the Scan Engine and Pattern File technology. <BR><BR>Client software is not provided as part of the Trend Micro DoD Enterprise Solution.</FONT><BR><BR>

Vulnerability Discussion:Symantec has reported two vulnerabilities associated with the Symantec Antivirus Engine's Decomposer component. This component is used to decompose certain types of archive content while scanning for malicious code. The Symantec AntiVirus scan engine is implemented in numerous antivirus products from Symantec including Norton AntiVirus, Mail Security, Web Security and others. To exploit these vulnerabilities, the attacker could create a maliciously-crafted file, then have a vulnerable system scan the file. In order to have an affected system scan the malicious file, the attacker could email the file to an email gateway or specific email addresses, or host the malicious file on a web site and entice a user to open the file. Exploitation of these vulnerabilities may occur without user interaction on systems configured to automatically scan email content, such as email gateways. The successful exploitation of these vulnerabilities would result in the execution of arbitrary code with full administrative rights or a denial of service of the system.

The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits publicly or privately available.The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits publicly or privately available. CAB Parsing Heap Overflow Vulnerability (CVE-2007-0447):This vulnerability exists due to a boundary error within Symantec Decomposer component while handling/scanning multiple maliciously formatted CAB archives. The vulnerability exists because the parsing routine implicitly trusts certain user-supplied values that can result in an exploitable heap corruption. A malicious .CAB file could be crafted to exploit the vulnerability and may consist of arbitrary code, replacement memory addresses, and possibly NOP instructions.

RAR File Parsing DoS Vulnerability (CVE-2007-3699):This vulnerability is due to an input validation error within the Symantec Decomposer component while handling RAR archives. The specific vulnerability resides in a forged PACK_SIZE field of a RAR file header. By setting this field to a specific value an infinite loop denial of service condition will occur when the scanner processes the file. When the affected applications process a malicious .RAR file, the system either crashes or enters into an infinite loop, denying service to legitimate users.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Verify that the vendor upgrade has been applied. Versions should be updated as specified below:

Check Content:Determine the version of the Symantec softwareReview content here:http://www.symantec.com/avcenter/security/Content/2007.07.11f.html

[editor's note: there is a large list of impacted products and their associated version numbers, this did not format well to this spreadsheet, instead please review the content listed at the URL above]

Upgrade or patch to non-vulnerable version of affected product.
_____________________________________________________________

Vulnerability Discussion:Hewlett-Packard (HP) has reported a new vulnerability affecting multiple HP Openview products. HP Openview is a suite of software applications which allow large-scale system and network management of an organization's IT assets. Successful exploitation of this vulnerability would allow an attacker to execute remote code with administrative rights. To exploit this vulnerability, an attacker would have to send specific maliciously-crafted packets to an affected system.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to this vulnerability. HP OpenView is a network-management application available for multiple operating platforms. OVTrace Shared Trace Service is used to log the actions of OpenView components for debugging potential problems. HP OpenView applications are prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. The 'ovtrcsvc.exe' service on TCP port 5053 and the 'OVTrace.exe' service on TCP port 5051 are affected by this vulnerability. The vulnerability may be triggered by sending malformed data to various opcode handlers, including 0x1a and 0x0f. Attackers can exploit this vulnerability to execute arbitrary code with superuser privileges.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Apply appropriate hotfix or upgrade to a non-vulnerable version. See vendor bulletins for details. Interview the SA to determine if affected products are installed and have been patched.

Vulnerability Discussion:Real Networks has reported multiple vulnerabilities affecting RealPlayer and HelixPlayer, which are applications that allow users to play various media formats on Linux, Mac, and Windows platforms. Successfully exploiting any of these vulnerabilities will allow an attacker to execute arbitrary code within the context of the application, some of which include invoking the ActiveX control (typically Microsoft Internet Explorer). Failed exploit attempts will result in a denial-of-service condition. To exploit these vulnerabilities, an attacker would have to entice a user of an affected system to view a webpage which hosts a maliciously crafted file. At this time, there is a proof of concept for one of these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. RealPlayer File Parsing Routines Multiple Vulnerabilities (CVE-2007-5080, CVE-2007-5081, CVE-2007-2264, CVE-2007-4599):RealPlayer is prone to multiple memory-corruption vulnerabilities caused by errors in the file-parsing functions. To exploit these vulnerabilities, a remote attacker would create a maliciously crafted MOV, MP3, RM, RAM, or PLS file, and then entice an unsuspecting user to open the malicious file using a vulnerable application. When the application processes the data, the attacker-supplied code runs within the affected application or causes a denial of service situation.

RealPlayer SWF File Processing Remote Code Execution Vulnerability (CVE-2007-2263):RealPlayer is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. This particular problem occurs in the SWF rendering ActiveX control, because the ActiveX control fails to handle malformed record headers. The ActiveX control for this vulnerability is identified by the following CLSID {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}. To exploit this vulnerability, an attacker would create a maliciously crafted file and host it on a webpage. The attacker would then entice an unsuspecting victim to visit this webpage using the affected ActiveX control. When the page is processed, memory becomes corrupted and the attacker-supplied code runs in the context of the application. The successful exploitation of this vulnerability would allow an attacker to execute arbitrary code within the context of the application that invoked the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.

RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability (CVE-2007-3410):RealPlayer and HelixPlayer are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. This problem occurs in the 'parseWallClockValue()' function when parsing 'HH:mm:ss.f' time format. The ActiveX control associated with RealPlayer is identified with the following CLSID:{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}. To exploit this vulnerability, an attacker would construct a maliciously crafted SMIL file, which can be hosted on a webpage. The attacker would then entice an unsuspecting user to visit a webpage with an application using the affected ActiveX control. When the page is processed, memory becomes corrupted and the attacker-supplied code runs in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. A proof-of-concept exists for this vulnerability.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor.

Vulnerability Discussion:Symantec has reported one denial of service vulnerability and one buffer overflow vulnerability that could allow arbitrary code execution associated with the Symantec Antivirus Engines Decomposer component. This component is used to decompose certain types of archive content while scanning for malicious code. The Symantec AntiVirus scan engine is implemented in numerous antivirus products from Symantec including Norton AntiVirus, Mail Security, Web Security and others. To exploit these vulnerabilities an attacker would send a maliciously-crafted file to an affected system and entice an unsuspecting user to open the file. When the affected application scans the file, memory becomes corrupted and executes remote arbitrary code. Exploitation of these vulnerabilities may occur without user interaction on systems configured to automatically scan email content, such as email gateways. The successful exploitation of these vulnerabilities would result in the execution of arbitrary code in the context of the current user and failed exploits could result in a denial of service.

The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits available. Symantec Scan Engine 5.1.2 RAR File Denial of Service Vulnerability (CVE-2008-0308)Remote exploitation of a Denial of Service vulnerability in Symantec Scan Engine version 5.1.2 could allow an unauthenticated attacker to create a denial of service (DoS) condition. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a malformed RAR file, the service will consume massive amounts of memory. This can result in a denial of service condition for the application and operating system.

Symantec Scan Engine 5.1.2 RAR File Buffer Overflow Vulnerability (CVE-2008-0309)Remote exploitation of a stack based buffer overflow vulnerability in Symantec Scan Engine version 5.1.2 could allow an unauthenticated attacker to execute arbitrary code with the privileges of the scan engine process. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a specially malformed RAR file, a stack-based buffer overflow will occur and cause a denial of service condition.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Apply Symantec patch or upgrade to a non-vulnerable version.

Download and apply the appropriate patches from the JTF-GNO AntiVirus website:https://www.jtfgno.mil/antivirus/symantec.htm

Vulnerability Discussion:Computer Associates has reported an ActiveX control vulnerability affecting BrightStor ARCserve Backup for Laptops and Desktops. BrightStor ARCserve is a backup and data retention tool that integrates with other BrightStor Data Availability and BrightStor Storage Management solutions. The products provide backup and restore protection for multiple operating systems and applications. To exploit this vulnerability, an attacker would host a website and entice an unsuspecting user to visit the malicious HTML page that triggers the buffer overflow. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code on an affected system with the privileges of the current user.

At this time, there are known exploits associated with this vulnerability circulating in the wild, but the JTF-GNO is not aware of any DoD related incidents. A stack-based buffer overflow vulnerability exists in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2. The vendor has recommended the following steps to determine if the user's system (Windows) is affected: 1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated in the security notes table, the installation is vulnerable.

This vulnerability allows an remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.

Mitigations:CA BrightStor workaround

Mitigation Control:Computer Associates has tested the following temporary mitigating strategy. While this strategy will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

As a temporary workaround solution, disable the ListCtrl ActiveX control in the registry by setting the kill bit on CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 (http://support.microsoft.com/kb/240797) for information on how to disable an ActiveX control.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor.

1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.

2. Right click on the file and select Properties.

3. Select the Version tab.

4. If the file version is earlier than indicated below, the installation is vulnerable.

Vulnerability Discussion:Multiple vulnerabilities have been discovered in the Autonomy KeyView module shipped with the Symantec Mail Security products. Autonomy KeyView is a component used in multiple applications. It adds high-speed filtering, the ability to export documents to web-ready HTML or valid XML, and high-fidelity viewing capabilities. To exploit these vulnerabilities, an attacker constructs a malicious file attachment designed to exploit one of these vulnerabilities. The attacker then sends an email with the malicious file to a user of an affected system. If successful exploited, an attacker could causing a Denial of Service condition or compromise the affected system.

At this time, there are no known exploits available for this vulnerability and JTF-GNO is not aware of any DoD incidents related to this vulnerability. Multiple heap-based buffer overflow vulnerability (CVE-2007-5399) - Multiple heap-based buffer overflows in emlsr.dll in the EML reader in Autonomy (formerly Verity) KeyView 10.3.0.0, as used by IBM Lotus Notes, allow remote attackers to execute arbitrary code via a long (1) To, (2) Cc, (3) Bcc, (4) From, (5) Date, (6) Subject, (7) Priority, (8) Importance, or (9) X-MSMail-Priority header; (10) a long string at the beginning of an RFC2047 encoded-word in a header; (11) a long text string in an RFC2047 encoded-word in a header; or (12) a long Subject header, related to creation of an associated filename.

Multiple buffer overflow vulnerabilities in kpagrdr.dll (CVE-2007-5405) - Multiple buffer overflows in kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, allow remote attackers to execute arbitrary code via a .ag file with (1) a long ENCODING attribute in a *BEGIN tag, (2) a long token, or (3) the initial *BEGIN tag.

Applix Presents reader vulnerability (CVE-2007-5406) - kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, does not properly parse long tokens, which allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted .ag file.

Multiple buffer overflows vulnerabilities in htmsr.dll (CVE-2008-0066) - Multiple buffer overflows in htmsr.dll in the HTML speed reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allow remote attackers to execute arbitrary code via an HTML document with (1) "large chunks of data," or a long URL in the (2) BACKGROUND attribute of a BODY element or (3) SRC attribute of an IMG element.

Buffer overflow vulnerabilities in kvdocve.dll (CVE-2008-1101) - Buffer overflow in kvdocve.dll in the KeyView document viewing engine in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allows remote attackers to execute arbitrary code via a long pathname, as demonstrated by a long SRC attribute of an IMG element in an HTML document.

Mitigations:Symantec Workarounds

Mitigation Control:Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed. Workaround for Symantec Mail Security for DominoInstallations of SMS for Domino 7.5 that are not utilizing the Content Filtering capabilities of the product are not susceptible. SMS for Domino 7.5 would be susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for Symantec Mail Security for Domino

Select the Content Filtering tab to display the list of current enabled rules Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red X, and disabling the rule

Workaround for Symantec Mail Security for SMTP and Symantec Mail Security ApplianceInstallations of SMS for SMTP and SMS Appliance that are not utilizing the Content Filtering capabilities of the product are not susceptible to this issue. SMS for SMTP and Appliance would be susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for SMS for SMTP and SMS Appliance:

Log into the Management Console and select the Settings tab Select Scanning from the Email Scanning group in the Navigation List To disable, uncheck the option Enable searching of non-plain text attachments for words in dictionaries Workaround for Symantec Mail Security for Microsoft Exchange Installations of SMS for Microsoft Exchange 5.x that are not utilizing the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange 5.x is susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for SMS for Microsoft Exchange: Select the Policies tab and then choose Content Filtering to display the list of currently enabled rules Ensure that all rules using attachment content are disabled

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor.

Symantec Mail Security for Microsoft Exchange 5.0 - Customers currently using SMSMSE 5.x builds should either wait for 5.0.10 to be released next month and disable content filtering until that build is available OR upgrade to SIFMSMSE version 6.0.5.

Symantec Mail Security Appliance 5.0.x - Update to 5.0.0-36 or later

Note: Symantec Mail Security Appliance 5.0.x is not covered under the DoD-wide contract

Vulnerability Discussion:Computer Associates has reported a remote code execution vulnerability affecting various CA products that implement the distributed systems management (DSM) gui_cm_ctrls ActiveX control. The products provide backup and restore protection for multiple operating systems and applications. To exploit this vulnerability, an attacker would create and distribute a malicious webpage either by hosting it on a website or by sending it via email. Once an unsuspecting user is enticed to visit the malicious site, the attacker's code is run in the context of the user running the affected application. The successful exploitation of this vulnerability could lead to the compromise of the application and possibly the underlying computer and failed attacks will result in a denial-of-service condition.

At this time, there are no known exploits associated with this vulnerability, and the JTF-GNO is not aware of any DoD related incidents. This remote code-execution vulnerability is due to an input validation error associated with the distributed systems management (DSM) "gui_cm_ctrls" ActiveX control (gui_cm_ctrls.ocx). Specifically, this control function does not sufficiently verify function arguments. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to compromise the application and possibly the underlying computer by means of executing arbitrary code in the context of the user running the affected application.

Mitigations:CA workaround

Mitigation Control:Computer Associates has tested the following temporary mitigating strategy. While this strategy will not permanently correct the underlying vulnerability, it may be used to help block known attack vectors until fix actions can be completed.

As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID {E6239EB3-E0B0-46DA-A215-CFA9B3B740C5}. Disabling the control may prevent the GUI from functioning correctly.

Refer to Microsoft KB article 240797 (http://support.microsoft.com/kb/240797) for information on how to disable an ActiveX control.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor.

See the vendor bulletin for additional information.

1. Using Windows Explorer, locate the file "gui_cm_ctrls.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.

2. Right click on the file and select Properties.

3. Select the Version tab.

4. If the file version is earlier than indicated below, the installation is vulnerable.

Vulnerability Discussion:Computer Associates has addressed vulnerabilities affecting BrightStor ARCserve Backup on various platforms to include Windows, Linux and Solaris. BrightStor ARCserve is a backup and data retention tool that integrates with other BrightStor Data Availability and BrightStor Storage Management solutions. The products provide backup and restore protection for multiple operating systems and applications. To exploit these vulnerabilities, an attacker would create and send a maliciously crafted data file to an affected system. The successful exploitation of the most serious of these vulnerabilities would allow an unauthenticated remote attacker to gain system level privileges resulting in the compromise of a vulnerable system. Failed attempts would cause a denial-of-service condition.

At this time, there are no known exploits associated with these vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. "caloggerd" Directory Traversal Vulnerability (CVE-2008-2241): Directory traversal vulnerability in caloggerd in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allows an unauthenticated remote attacker to append arbitrary data to arbitrary files via directory traversal sequences in unspecified input fields, which are used in log messages. This vulnerability is due to insufficient path verification by the logging service, caloggerd. Note: This vulnerability can be leveraged for code execution in many installation environments by writing to a startup file or configuration file.

1. Search the file "caloggerd.exe". By default, in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory2. Right click on the file and select Properties.3. Select the General tab.4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable.

Vulnerability Discussion:IBM has addressed a remote buffer overflow vulnerability affecting IBM Lotus Sametime. IBM Lotus Sametime is a platform for Unified Communications and Collaboration (UC) which offers integrated, enterprise instant messaging, VoIP, video chats and Web conferencing capabilities with security features. Both the client and server applications can be used on Linux, AIX, Solaris, and Windows operating systems. To exploit this vulnerability, a remote attacker would construct and send a maliciously crafted HTTP request to a vulnerable system. The successful exploitation of this vulnerability would allow a remote attacker execute remote code in the context of the affected system resulting in a stack based buffer overflow. Failed exploit attempts would likely result in a denial of service condition.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - See the IAVM notice and vendor bulletin for additional information.

Note: System administrators are recommended to refer to the Detailed System requirements - Sametime 8.0.1 to determine software version affected by this vulnerability.http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg27012109

See Fixes section for appropriate actions.

Check Content:Unix

Determine the version of the Sametime software

#/unisphere/srx3000/srx/version/pkgversion -ps

Upgrade to non-vulnerable version of affected product.
_____________________________________________________________

Vulnerability Discussion:Sun Microsystems has identified vulnerabilities affecting Sun Java System Web Server and Sun Java System Web Proxy Server. These servers support Sun, Linux, Windows, HP-UX and AIX operating systems. The Sun Java Web Server is an enterprise-level web server. The Sun Java Application Server is an enterprise-level application server and is hosted by the Sun Java Web Server. To exploit these vulnerabilities, an attacker would bypass access validation on an affected page or entice a user to follow a maliciously crafted URI link hosted on a website or sent via email. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to gain unauthorized access to sensitive information or execute arbitrary code in context of the affected site and steal cookie-based authentication credentials, hijack sessions or cause a loss of data privacy.

At this time, there are no known exploits available and the JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. JSP Information Disclosure (CVE-2008-2120):Unspecified vulnerability in Sun Java System Application Server 7 2004Q2 before Update 6, Web Server 6.1 before SP8, and Web Server 7.0 before Update 1 allows remote attackers to obtain source code of JSP files via unknown vectors.

To determine the version of Sun Java System Application Server on a system, the following command can be run: $ <AS_install>/bin/asadmin version --verbose(Where <AS-install> is the installation directory of the Application Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).

Mitigations:Sun Java Workaround

Mitigation Control:Sun has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Sun Advisory 1-66-231467-1 To work around the described issue, edit the default search web application file named index.jsp which is located at /lib/webapps/search/index.jsp to remove the line containing the text out.println(s);.

Sun Advisory 1-66-236481-1The following file can be edited to workaround this issue:

Check Content:Windows - Download and apply the appropriate patches from the vendor.See the IAVM notice and vendor bulletin for additional information.

Note: System administrators are recommended to refer to the appropriate Sun Microsystems Alert to determine software version affected by this vulnerabilities.

To determine the version of Sun Java System Application Server on a system, the following command can be run: $ <AS_install>/bin/asadmin version --verbose (Where <AS-install> is the installation directory of the Application Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ <WS-install>/https-<host>/start -version (Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ <WS-install>/bin/wadm --version (Where <WS-install> is the installation directory of the Web Server).

Upgrade to the following versions or laterSun Java System Application Server 7 2004Q2 with Update 6 or laterSun Java System Web Server 6.1 with Service Pack 9 or laterSun Java System Web Server 6.1 with patch 121524-05 or laterSun Java System Web Server 7.0 with Update 3 or laterSun Java System Web Server 7.0 with patch 125441-12 or later

Check Content:After determining the binary is not a trojan, determine the version of Sun Java System Application Server on a system, by performing the following command as a non-privileged user: # <AS_install>/bin/asadmin version --verbose(Where <AS-install> is the installation directory of the Application Server).

After determining the binary is not a trojan, determine the version of Sun Java System Web Server 6.1 on a system, by performing the following command as a non-privileged user: # <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

After determining the binary is not a trojan, determine the version of Sun Java System Web Server 7.0 on a system, by performing the following command as a non-privileged user: # <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).

Vulnerability Discussion:Sun Microsystems has addressed multiple security vulnerabilities in the Sun Java Active Server Pages (ASP) Server. ASP is a server-side script engine that is used for dynamically-generated web pages. To exploit these vulnerabilities, a remote attacker would create and send malicious requests to a vulnerable server. The successful exploitation of these vulnerabilities would allow a local or remote unprivileged user to execute arbitrary code with the privileges of the root user or with the privileges of the user running the Sun Java ASP Server. These vulnerabilities may also allow a remote unprivileged user to gain unauthorized access to data, create arbitrary files on an affected system and bypass authentication mechanisms on the ASP application server.

At this time, there are no known exploits associated with these vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. Sun Java System Active Server Pages File Creation Vulnerability - CVE-2008-2401: The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to append to arbitrary new or existing files via the first argument to a certain file that is included by multiple unspecified ASP applications. To exploit this vulnerability, a remote attacker would create and send a malicious request to an affected application via TCP port 5100. When the application processes the request, an arbitrary file is created or arbitrary data is appended to the file. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code with superuser privileges. Note: Port 5100 is not blocked

Sun Java System Active Server Pages Information Disclosure Vulnerability - CVE-2008-2402: The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read password hashes and configuration data via direct requests for unspecified documents. To exploit this vulnerability, a remote attacker would create and submit a malicious request to TCP port 5100 of a vulnerable server. When the server processes the request, the requested file is returned to the attacker. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to gain access to sensitive information that could be used in further attacks. Note: Port 5100 is not blocked.

Sun Java System Active Server Pages Multiple Directory Traversal Vulnerabilities - CVE-2008-2403: Multiple directory traversal vulnerabilities in unspecified ASP applications in Sun Java Active Server Pages (ASP) Server before 4.0.3 allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the Path parameter to the MapPath method. To exploit this vulnerability, a remote attacker would create and send a malicious HTTP GET request via TCP port 5100 to a vulnerable application through the vulnerable parameter. The requested file is returned to the attacker if the webserver process has read access to the file. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker the ability to access files that may contain sensitive information. Note: Port 5100 is not blocked.

Sun Java System Active Server Pages Buffer Overflow Vulnerability - CVE-2008-2404: Stack-based buffer overflow in the request handling implementation in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary code via an unspecified string field. To exploit this vulnerability, an attacker would create and submit a malicious request to an affected server. The attacker's code is executed when the server processes the request. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to cause the complete compromise of the affected server and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.

Mitigation Control:Sun Microsystems has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Workaround

To work around the issues described in CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406 on the SPARC, Linux, HP-UX and AIX platforms, disable the Admin Server on the Sun Java ASP Server. Sun Java ASP Server on the Windows platform is not affected by the issues described in these CVEs.

The Admin Server may be disabled as the root user by using the following command:# /opt/casp/admtool -eThere is no workaround to the issues described in CVE-2008-2404 and CVE-2008-2405.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor.

Vulnerable ApplicationsSun Java ASP Server 4.0.2 or earlier

The version of Sun Java ASP Server installed may be determined by verifying the following key in the Windows system registry:[HKEY_LOCAL_MACHINE\SOFTWARE\ChiliSoft\ChiliAsp\Install]"CaspVersion"="4.0.3"

Vulnerability Discussion:Net-SNMP has addressed a remote authentication bypass vulnerability concerning the way Simple Network Management Protocol version 3 (SNMPv3) handles specially crafted packets. SNMP is a standardized protocol used for remotely monitoring and managing network devices. To exploit this vulnerability, a remote attacker would create and send a malicious SNMPv3 packet with 1-byte Hash Message Authentication Code (HMAC) code to an affected system. When the affected system processes the malicious SNMPv3 packet, it will allow an attacker with a valid username to gain unauthorized access to the system. The attacker is successfully validated and granted authentication because the application fails to properly check the number HMAC bytes. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to access sensitive information on a device or allow an attacker to make configuration changes to a vulnerable device that is based on the SNMP configuration.

At this time, there is an available exploit code associated with this vulnerability; the JTF-GNO is not aware of any DoD related incidents. System Administrators are required to refer to the appropriate security advisory or third-party vendor security notice to determine their systems vulnerability.

SNMPv3 HMAC Verification Vulnerability (CVE-2008-0960):SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte.

Note: The Cisco Advisory notes that SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the assigned destination port numbers 161 and 162, respectively. These ports are blocked.

Mitigations:SNMP mitigation

Mitigation Control:Net-SNMP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

1) Install one of the updated packages immediately which will fix the problems. If you do that, you need not take any of the other steps below.

If you are using Net-SNMP through a third party distribution such as your operating system vendor they should be release updates for their systems ASAP as well (likely today for most of them).

2) If this is impossible to do quickly and immediately you can do any of the following to help:

a) Put firewalls in front of your SNMP ports. This is generally recommended anyway, since allowing external access to any server that doesnt need to be accessible across the entire Internet is always good practice.

b) Utilize encryption in addition to authentication. Turning on *and requiring* DES or AES support for your SNMPv3 users will at least make attacking a system more difficult. Cryptographically speaking, encryption is not a good form of authentication but in this case it will be better than not using it even if you dont need to protect your SNMPv3 packets from disclosure. Make sure you change your VACM authorization settings to require that encryption be used. For example, in the rwuser or rouser config tokens add priv to the end. For example:

Change from: rwuser wes rouser joe

Change to: rwuser wes priv rouser joe priv

c) Decrease what an authenticated packet can do. If you do not need SNMP SETs to be supported on your network, you con turn them off by disallowing them. For example:

Change from: rwuser wes priv

Change to: rouser wes priv ^

d) Detect illegal authentication attempts by turn on authentication notifications. If you are using SNMP notifications (traps and informs) in your network of SNMP agents, adding the following line to your snmpd.conf file will make the agent send a trap or inform when someone fails to authenticate properly to the agent. Because an attacker trying to exploit this issue will not succeed every time you should get notifications that devices are being targeted:

authtrapenable 1

(You will also need to define trap destinations if you have not already)

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Unix

Determine the location of the snmpget binary

#find / -name snmpget

Determine the version of the SNMP software

use the binary found by the find command with the --version option (example. #/usr/local/bin/snmpget --version)

Upgrade to non-vulnerable version of affected product.
_____________________________________________________________

Vulnerability Discussion:A Domain Name System (DNS) Protocol cache poisoning vulnerability has been identified affecting various applications and platforms (i.e., ISC BIND, Cisco, Juniper, Linux). The DNS is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. To exploit this vulnerability, a remote attacker would capture DNS requests and collect the transaction IDs from a vulnerable system. Ultimately, this collected information would enable the attacker to predict further transaction IDs and UDP source ports which would be used for spoofing DNS replies to queries sent by the vulnerable system. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to redirect network traffic to arbitrary IP addresses specified by the attacker.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to this vulnerability. DNS Spoofing Vulnerability - CVE-2008-1447: The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."

Mitigations:US-CERT Mitigation for DNS

Mitigation Control:US-CERT (http://www.kb.cert.org/vuls/id/800113) has recommended the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Restrict access: Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability. Securing an Internet Name Server (http://www.cert.org/archive/pdf/dns.pdf) contains instructions for restricting recursion in ISC BIND.

Filter traffic at network perimeters: Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827 (http://tools.ietf.org/html/rfc2827), RFC 3704 (http://tools.ietf.org/html/rfc3704), and RFC 3013 (http://tools.ietf.org/html/rfc3013) describe best current practices (BCPs) for implementing this defense. It is important to understand your networks configuration and service requirements before deciding what changes are appropriate.

Run a local DNS cache: In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.

Disable recursion: Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Securing an Internet Name Server contains instructions for disabling recursion in various versions of ISCs BIND.

Implement source port randomization: Vendors that implement DNS software are encouraged to review IETF Internet Draft, Measures for making DNS more resilient against forged answers, (http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience) for additional information about implementing mitigations in their products. This document is a work in progress and may change prior to its publication as an RFC, if it is approved.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows- Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Cisco products:- Cisco Network Registrar All Cisco Network Registrar versions are affected, and DNS services are enabled by default. The DNS server on CNR is enabled via the command-line interface (CLI) commands server dns enable start-on-reboot or dns enable start-on-reboot or via the web management interface in the Servers page by selecting the appropriate "Start," "Stop," or "Reload" button. - Cisco Global Site Selector Used in Combination with Cisco Network Registrar The Cisco Global Site Selector (GSS) is affected when it is used in combination with Cisco Network Registrar software to provide a more complete DNS solution. Fixed software would come in the form of an update of the Cisco Network Registrar software rather than an update of the GSS software.

Vulnerability Discussion:Red Hat has identified a vulnerability affecting OpenSSH running on Red Hat operating systems. OpenSSH is a free implementation of the Secure Shell protocol suite. To exploit this vulnerability, a remote attacker would entice an unsuspecting victim to download and install a maliciously crafted OpenSSH package from a compromised Red Hat repository server. Successful exploitation would allow the attacker to gain superuser privileges and take complete control of the affected system. At this time, there are known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD related incidents.

Vulnerability Discussion:RedHat has reported multiple vulnerabilities in RedHat Fedora Directory Server. Red Hat Directory Server is an Lightweight Directory Access Protocol (LDAP)-based server that centralizes application settings, user profiles, group data, policies, and access control information into an operating system-independent and network-based registry. To exploit these vulnerabilities, a remote attacker would send a malicious request to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise an affected system or cause a denial of service condition.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. Directory Server: adminutil / CGI heap overflow vulnerability - CVE-2008-2932:Heap-based buffer overflow in Red Hat adminutil 1.1.6 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via % (percent) encoded HTTP input to unspecified CGI scripts in Fedora Directory Server. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-2929.

Vulnerability Discussion:Cisco had addressed a vulnerability affecting Cisco Unity servers. Cisco Unity is a voice and unified messaging platform. Cisco Unity can be configured to interoperate with Microsoft Exchange or IBM Lotus Domino enabling users to access e-mail, voice, and fax messages from a single inbox. To exploit this vulnerability, an unauthenticated remote attacker would implement the authentication page to a vulnerable device. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to gaining access to administrative privileges of the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD incidents related to this vulnerability. Authentication Bypass Vulnerability - (CVE-2008-3814)An unspecified vulnerability exists in Cisco Unity 4.x before 4.0ES161, 5.x before 5.0ES53, and 7.x before 7.0ES8, when using anonymous authentication. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to bypass authentication and read or modify system configuration parameters via unknown vectors.

Note: Per DoD APL, DoD implementations should be using Windows Authentication, not Anonymous Authentication.

Mitigation Control:Temporary Mitigation Strategies Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed. Integrated Windows authentication is not affected by this vulnerability and may be used as an alternative to Anonymous Authentication.

Details on authentication mechanisms and how to configure them can be found in the Installation Guide for Cisco Unity in the Setting Up Authentication for the Cisco Unity Administrator section.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Affected Cisco ProductsCisco Unity versions, 4.x, 5.x and 7.x

Upgrade to the following:
Cisco Unity software version 4.0ES161 for the 4.2(1) ES releaseCisco Unity software version 5.0ES53 for the 5.0(1) ES releaseCisco Unity software version 7.0ES8 for the 7.0(2) ES release

Vulnerability Discussion:Adobe has addressed a vulnerability associated with Flash Player which affects Linux platforms only. Adobe Flash Player is a multimedia application for Microsoft Windows, Mac, and Linux Operating Systems. To exploit this vulnerability, a remote attacker would entice a user to view/access a maliciously crafted Flash/SWF file hosted on a web site or sent via email. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code and compromise an affected system.

At this time, there is exploit code available for this vulnerability; JTF-GNO is not aware of any DoD related incidents. Malicious SWF file vulnerability - (CVE-2008-5499)A critical vulnerability has been identified in Adobe Flash Player for Linux 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Determine if the flashplayer is installed by searching for:

If any of the files above are found, open a browser to determine the version. Enter about:plugins into the URL to display the version information. If the version is not greater than 10.0.15.3, this is a finding.

Vulnerability Discussion:Sun Microsystems has addressed two security vulnerabilities affecting the Sun Java System Access Manager, formerly known as the Sun Java System Identity Server. The System Access Manager is used to manage the secure access to web applications on many OS platforms (i.e., Solaris, Windows, Linux, and HP-UX). To exploit these vulnerabilities, a remote attacker (i.e., having either the necessary privileges to access the administration console, or having 'sub-realm' administrator access) would locate a vulnerable system and exploit the respective security vulnerability. If successfully exploited, the most serious of these vulnerabilities would allow an authenticated remote attacker to elevate their privileges and completely compromise a vulnerable system.

At this time, there are no known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Sub-Realm Administrators Privilege Escalation Security Vulnerability (CVE-2009-0169):Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm.

To determine the version of Sun Java System Access Manager, the following command can be run:

$ <access-manager-install-dir>/bin/amadmin --versionSun Java System Access Manager 7.1(where <access-manager-install-dir> is the installation directory of the Sun Java System Access Manager).

Check Content:To determine if Sun Java System Access Manager is installed, the following command can be run on a Solaris system:

# pkginfo -l SUNWamsvc

To determine the version of Access Manager on a Solaris system, the following command can be run: # pkgparam SUNWamsvc VERSION

After determining the binary is not a trojan, determine the version of Sun Java System Access Manager on other systems, by performing the following command as a non-privileged user: # &lt;access-manager-install-dir&gt;/bin/amadmin -version

Verify the patches listed in the preceding vulnerable systems are installed.
_____________________________________________________________

Vulnerability Discussion:Sun Microsystems has addressed an information disclosure vulnerability within the Sun Java System Application Servers WEB-INF and META-INF directories. The Sun Java System Application Server is a platform for delivering server-side Java applications and Web services on various operating system platforms (Windows, Sun, Linux). To exploit this vulnerability, a remote attacker would create and submit a request to a targeted system's WEB-INF and META-INF directories. If successfully exploited, this vulnerability would allow a remote attacker to read the Web Application configuration files in WEB-INF and META-INF directories resulting in the disclosure of sensitive information.

At this time, there are no known exploits available for this vulnerability; JTF-GNO is not aware of any DoD related incidents. Sun Java Application Server Information Disclosure Vulnerability (CVE-2009-0278):A vulnerability exists in Sun Java System Application Server (AS) 8.1 and 8.2 which enables a remote attacker to read the Web Application configuration files in the WEB-INF or META-INF directory via a malformed request. The remote attacker could use this information disclosure for additional attacks.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

To determine the version of Sun Java System Application Server on a system, the following command can be run:

$ <AS_install>/bin/asadmin -version (Where <AS-install> is the installation directory of the Application Server).

Note: Application Server versions prior to 8.1 or later than 8.2 are not affected by this issue.

Check Content:After determining the binary is not a trojan, determine the version of Sun Java System Application server, by performing the following command as a non-privileged user: # &lt;AS_INSTALL&gt;/bin/asadmin version --verbose

Where &lt;AS_INSTALL&gt; is the installation directory of the Application Server

Verify one of the patches listed in the preceding vulnerable systems has been installed.
_____________________________________________________________

Vulnerability Discussion:Hewlett Packard (HP) has reported a security vulnerability with certain HP LaserJet printers. To exploit this vulnerability a remote attacker would send a specially crafted URI that contains directory-traversal strings to an affected device. If successfully exploited, this vulnerability would allow a remote attacker to gain unauthorized access to sensitive information.

Vulnerability Discussion:Adobe has addressed multiple vulnerabilities associated with Flash Player. Adobe Flash Player is a multimedia application for Microsoft Windows, Mac, and Linux Operating Systems. To exploit these vulnerabilities, a remote attacker would entice a user to view/access a maliciously crafted Flash/SWF file hosted on a web site or sent via email. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to compromise the affected application.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Note: Adobe recommends users upgrade to the latest version of Flash Player10. For users who cannot update to Flash Player 10, Adobe has developed apatched version of Flash Player 9, Flash Player 9.0.159.0.

Check the following registry key to determine the version of Flashplayer:HKLM\Software\Macromedia\FlashplayerValue: CurrentVersion

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008) expose the version column by right clicking somewhere in the column headers, selecting More… and selecting Version.

Vulnerability Discussion:Symantec has reported a vulnerability affecting Symantec Veritas Netbackup. Symantec Veritas Netbackup is an enterprise level backup and recovery suite available for various operating systems. To exploit this vulnerability, an attacker would create and send malicious code to a vulnerable application. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code in the context of the vulnerable application. Failed attempts may result in memory corruption or a denial-of-service condition.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<SPAN class=style6><STRONG><FONT size=2>Symantec has tested the following temporary mitigating strategies.&nbsp; While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</FONT></STRONG></SPAN> - <P><SPAN class=BodyText><SPAN class=style4><B><SPAN class=style13><FONT size=2>Mitigations/Workarounds</FONT></SPAN></B><SPAN class=style13><BR><FONT size=2>Symantec Security Response has released an IPS/IDS signature, Signature ID 23283, to detect and block attempts to exploit this issue. Signature is available through normal update channels. </FONT></SPAN></SPAN></SPAN></P>

Vulnerability Discussion:IBM has reported a vulnerability in DB2 Content Manager. DB2 is a relational database management system produced by IBM capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. Due to limited information during the release of this notice, exploit information is not available. This notice will be modified if additional information related to this vulnerability changes.

At this time, there are no known exploits associated with this vulnerability; the JTF-GNO is not aware of any DoD related incidents. IBM DB2 Content Manager eClient Vulnerability - (CVE-2009-1231) Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8.4.1 before 8.4.1.1 has unknown impact and attack vectors.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications:IBM DB2 Content Manager 8.4.1

To determine the Content Manager Version1. Open up a command prompt. 2. Enter %IBMCMROOT%/bin/cmlevel

Check Content:Determine the db2 installed version and fixpack by viewing the output from:
# db2levelThe version should display 8.4.1.1.

At this time, there are no known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to this vulnerability. VMWare-authd Denial of Service Vulnerability (CVE-2009-0177):vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command.

ioctl Denial of Service Vulnerability (CVE-2009-1146): Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.

hcmon.sys Denial of Service Vulnerability (CVE-2008-3761):hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 uses the METHOD_NEITHER communication method for IOCTLs, which allows local users to cause a denial of service via a crafted IOCTL request.

Vulnerability Discussion:Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP OpenView Network Node Manager (OV NNM). HP OpenView is a suite of software applications which allow large-scale system and network management of an organization's IT assets. To exploit these vulnerabilities, a remote attacker would create and send a malicious request to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise the the affected system.

At this time, there are no known exploits associated with this vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. HP Network Node Manager Vulnerability - (CVE-2009-0720):Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.

Vulnerability Discussion:Linux has addressed multiple vulnerabilities affecting the Linux kernel. To exploit these vulnerabilities, an attacker would craft and send malicious network data to an affected system. If successfully exploited, these vulnerabilities would result in the complete compromise of an affected system. Failed exploit attempts will result in a denial-of-service condition.

At this time, at least one of these vulnerabilities can be exploited using readily available tools; the JTF-GNO is not aware of any DoD related incidents. Linux Kernel Integer Overflow Vulnerability - (CVE-2009-1265):Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes "garbage" memory to be sent.

Linux Kernel 'CAP_FS_SET' Incomplete Capabilities List Access Validation Vulnerability: The Linux Kernel is prone to an unauthorized-access vulnerability because of an error in the definition of the 'CAP_FS_SET' capabilities mask. This issue has been demonstrated to impact the NFS and VFS filesystems

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Red Hat Enterprise Linux 3 is vulnerable to CVE-2009-1265. RHEL4 and 5 are not. However, this IAVA does cover more than one CVE. A response from the Red Hat Knowledge base indicates RHEL3 will not be patched and it will always be a finding on this system. RHEL 4 does not appear to have any fixes, so this will be a finding. Execute uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS vulnerability. If the kernel version is less than 0:2.6.18-128.1.14.el5, this is a finding.
_____________________________________________________________

Vulnerability Discussion:McAfee has released a security bulletin addressing a vulnerability in McAfee products. To exploit this vulnerability, an attacker would create a malicious archive file to bypass the scanner on a gateway. If successfully exploited, this vulnerability would allow an attacker to send a malicious archive file via email which the vulnerable application would fail to detect.

At this time, a proof of concept exists for this vulnerability but the exploits are not publicly available; JTF-GNO is not aware of any DoD incidents related to this vulnerability. Archive Handling Security Bypass Vulnerability - (CVE-2009-1348):The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, Internet Security, SecurityShield for Microsoft ISA Server, Security for Microsoft Sharepoint, Security for Email Servers, Email Gateway, and Active Virus Defense allows remote attackers to bypass virus detection via an invalid Headflags field in a malformed RAR archive, an invalid Packsize field in a malformed RAR archive, or an invalid Filelength field in a malformed ZIP archive. This could allow malware to bypass a scanner on a gateway.

Note: Users utilizing on-access scanning on endpoint devices should not be affected, as the scanner will see the files after the archive is opened. An attack, even if it is successful at bypassing the gateway, will have no lasting effect on the endpoint running an on-access scanner. The Windows Desktop Application STIG VR31 requires every machine to have an updated anti-virus program installed and active for on-access and on-demand virus detection.

Mitigations:McAfee workaround

Mitigation Control:McAfee has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Workaround for McAfee Products: All users should enable On-Access-Scanning on all endpoint devices. This is the default setting after installation. By using On-Access-Scanning, endpoints will catch any threats that may pass on gateway devices. McAfee has long supported a defense-in-depth strategy that includes running antivirus software on multiple points of your network, including gateways, file servers, and especially endpoints.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Apply McAfee patch or upgrade to a non-vulnerable version.

Vulnerability Discussion:Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe JRun. JRun is a Java 2 Platform Enterprise Edition application server. To exploit these vulnerabilities, a remote attacker would create a malicious URI and entice a user to follow the link or submit the URI to an affected system. Successful exploitation of these vulnerabilities would facilitate unauthorized information disclosure and remote code execution resulting in the compromise of an affected system.

At this time, there are known exploits available for these vulnerabilities; JTF-GNO is not aware of any DOD incidents related to these vulnerabilities. Directory Traversal Vulnerability - (CVE-2009-1873):An update for JRun resolves a management console directory traversal vulnerability that could potentially lead to information disclosure.

Vulnerability Discussion:Symantec and IBM released security advisories addressing a vulnerability in the Autonomy KeyView module. Autonomy KeyView is a commercial Software Development Kit (SDK) that provides file format parsing libraries. Autonomy KeyView is utilized in third-party vendors products and is shipped with the vulnerable Symantec and IBM products addressed in this notice. To exploit this vulnerability, an attacker would entice a user of an affected system to view a maliciously crafted Excel document sent via email. Successful exploitation would result in execution of arbitrary code in the context of the affected application. Failed exploit attempts would result in a denial of service condition. At this time, there are known exploits available for this vulnerability; JTF-GNO is not aware of any DoD incidents related to this vulnerability.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<B>The vendors has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B> - <DIV class=cbMrgnBtmMD><SPAN class=style5><U>Symantec Temporary Mitigation:</U></SPAN><SPAN class=style4><BR></SPAN><SPAN class=style3>Symantec Security Response has released a Bloodhound detection, Bloodhound.Exploit.243, to detect and block attempts to exploit this issue. Detections are available through LiveUpdate or from the Symantec Security Response download site, <A href="http://www.symantec.com/business/security_response/definitions.jsp">http://www.symantec.com/business/security_response/definitions.jsp</A>. <BR></SPAN><BR><U><SPAN class=style6>Temporary Workaround for Symantec Mail Security for Domino:</SPAN><BR></U><SPAN class=style3>Installations of SMS for Domino 7.5 and 8.0 that do not utilize the Content Filtering capabilities of the product are not susceptible to this issue. SMS for Domino 7.5 and 8.0 would be susceptible only if the attachment content scanning option is enabled. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. <BR><BR>To disable the content filtering rules for Symantec Mail Security for Domino: <P>- Select the "Content Filtering" tab to display the list of current enabled rules <BR>- Click on the checkmark to the left of any rules that utilize <U>attachment content</U> filtering, changing it to a red "<SPAN style="COLOR: red">X</SPAN>", and disabling the rule </SPAN></P><SPAN class=style6><U>Temporary Workaround for Symantec Mail Security for Microsoft Exchange</U></SPAN>:<BR><SPAN class=style3>Installations of SMS for Microsoft Exchange 5.x that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange 5.x is susceptible only if the attachment content scanning option is enabled. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. <P>To disable the content filtering rules for SMS for Microsoft Exchange: </P><P>- Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules <BR>- Ensure that all rules using attachment content are "disabled" <BR></SPAN></P></DIV><DIV class=cbMrgnBtmMD><U><SPAN class=style6>Temporary Workaround for Symantec Mail Security for SMTP and Symantec Mail Security/Brightmail Gateway Appliance:</SPAN><BR></U><SPAN class=style3>Risk from this vulnerability is limited on installations of SMS for SMTP and SMS Appliance in which the attachment content scanning option is enabled.However, installations that do not utilize the Content Filtering capabilities of the product <U>are not</U> susceptible to this issue. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. <BR><BR>To disable the content filtering rules for SMS for SMTP and SMS Appliance 5.x: <P>Log into the management console and navigate to: <BR><BR>- Settings &gt;&gt; Email Scanning &gt;&gt; Scanning <BR>- Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving <BR>- Disable any Compliance policies with a condition "If the Attachment content . . ." </P>To disable the content filtering rules for SMS/SBM Gateway Appliance after 5.x: <P>- Log into the management console and navigate to the SMTP Scanning Settings screen <BR>- Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving <BR>- Disable any Compliance policies with a condition: <BR>&nbsp;&nbsp;&nbsp;&nbsp; "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.<BR>&nbsp;&nbsp;&nbsp;&nbsp; "If text in Attachment content part of the message . . . " <BR><BR></P></DIV><P><STRONG><U><SPAN class=style4>IBM Temporary Mitigation </SPAN><SPAN style="FONT-SIZE: 12pt" class=style4><FONT size=2>For Notes 8.5.x, 8.0x, and 7.x:</FONT></SPAN><BR></U></STRONG>Disable the affected file viewer by following one of the options below:<BR><STRONG><BR></STRONG><SPAN class=style4><U>Delete the keyview.ini file in the Notes program directory:</U></SPAN><STRONG><BR></STRONG>This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."<STRONG><BR><BR></STRONG><SPAN class=style4><U>Delete or rename the affected DLL file</U></SPAN>:<STRONG><BR></STRONG>In this case the affected DLL file is <B>xlssr.dll</B>. When a user tries to view a Microsoft Excel file, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. <BR><STRONG><BR></STRONG><SPAN class=style4><U>Comment out lines in keyview.ini that reference affected DLL file:</U></SPAN><STRONG><BR></STRONG>To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."<STRONG><BR><BR></STRONG>Example:<STRONG><BR></STRONG>[KVWKBVE] --&gt; this is the section of the keyview.ini<BR>;188=xlssr.dll ---&gt; this would be the result of the Excel dll commented out </P><P><SPAN style="FONT-SIZE: 12pt"><FONT size=2><U><SPAN class=style4>IBM Mitigation For Notes 5.x and 6.x:</SPAN><BR></U><SPAN class=style3>Disable the affected file viewer by following one of the options below:<BR><BR><U><SPAN class=style4>Delete the keyview.ini file in the Notes program directory:</SPAN><BR></U>This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."<BR><BR><SPAN class=style4><U>Delete or rename the affected DLL file</U></SPAN>:<BR>In this case the affected DLL file is <B>xlssr.dll</B>. When a user tries to view a Microsoft Excel file, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. <BR><BR><U><SPAN class=style4>Comment out lines in keyview.ini that reference affected DLL file:</SPAN><BR></U>To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."<BR><BR>Example:<BR>[KVWKBVE] --&gt; this is the section of the keyview.ini<BR>;188=xlssr.dll ---&gt; this would be the result of the Excel dll commented out </SPAN></FONT></SPAN></SPAN></P>

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerability Discussion:Multiple vulnerabilities have been reported in libxml2. Libxml2 is free open-source software that provides XML parsing functions that are incorporated into various vendor's products. To exploit these vulnerabilities, a remote attacker would create a malicious XML file and entice a user of an affected system to process the file. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition on the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Stack Consumption Denial of Service Vulnerability - (CVE-2009-2414):Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.

USe-After-Free Denial of Service Vulnerability - (CVE-2009-2416):Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted Notation or Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerability Discussion:VMware has reported multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would create a malicious symbolic link in the temporary directory that points to an arbitrary file on the affected system. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service on an affected system, or to gain escalated privileges, or to bypass certain security restrictions, or to disclose sensitive information, or possibly execute arbitrary code in the context of the user. At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Vulnerability Discussion:A design error vulnerability has been reported affecting Snort. Snort is an open source network Intrusion Detection System (IDS) written for Linux, Unix and Microsoft Windows platforms. To exploit this vulnerability, a remote attacker would send a maliciously crafted IPv6 packet to an affected system. If successfully exploited, the malicious IPv6 packet would be processed by the affected system resulting in a denial of service condition.

At this time, there are known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Snort IPv6 packets Denial of Service Vulnerability - (CVE-2009-3641):Snort before 2.8.5.1, when the -v option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows - Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:Snort 2.8.5 and earlier

Open a command promptChange to the directory where “Snort.exe” is located (default is C:\Snort\Bin)Enter “snort -V” (Capital “V”, this is case sensitive - do not use a lower case “v”)

Check Content:Vulnerable Versions:Snort Project Snort 2.8.5

Check Content:# snort -V

Update to Snort 2.8.5.1 or later
_____________________________________________________________

Vulnerability Discussion:Red Hat has addressed a vulnerability affecting the acpid daemon on various Red Hat platforms. The 'acpid' daemon is an ACPI (Advanced Configuration and Power Interface) policy daemon for Linux. To exploit this vulnerability, an attacker would leverage weak permissions in the /var/log/acpid log file. If successfully exploited, this vulnerability would allow an attacker to elevate their privileges and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. acpid daemon Vulnerability - (CVE-2009-4033):A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file.

Vulnerability Discussion:HP has addressed multiple vulnerabilities affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. To exploit these vulnerabilities, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to take complete control of the affected system. Failed attempts will result in a denial-of-service condition.

At this time, there are known exploits associated with some of these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. HP OpenView Network Node Manager Perl CGI Executables Remote Code Execution Vulnerability - (CVE-2009-3845): The port-3443 HTTP server in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostname parameter to unspecified Perl scripts.

Vulnerability Discussion:A vulnerability has been identified in certain versions of the DISA UNIX Security Readiness Review (SRR) script. DISA SRR scripts are used to test products for Security Technical Implementation Guide (STIG) compliance. To exploit this vulnerability, an attacker would place a specially named malicious executable file on a UNIX asset. When the vulnerable SRR script is run on that UNIX asset, the malicious file will be executed with root level privileges resulting in the complete compromise of the affected system.

Vulnerability Discussion:Linux has addressed multiple vulnerabilities affecting the Linux kernel. To exploit these vulnerabilities, an attacker would interact with the vulnerable environment in a manner sufficient to escalate privileges or send malicious packets to the affected system. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Linux Kernel Local Privilege Escalation Vulnerability - (CVE-2009-3080):Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

Linux Kernel Integer Overflow Vulnerability - (CVE-2009-4307):The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).

Linux Kernel Denial of Service Vulnerability - (CVE-2009-4308):The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. Sun Java System Directory Server Enterprise Edition improper handling of client connection Vulnerability - (CVE-2009-4440):A vulnerability in Directory Proxy Server (DPS) in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 does not properly handle multiple client connections within a short time window, which allows remote attackers to hijack the backend connection of an authenticated user, and obtain the privileges of this user, by making a client connection in opportunistic circumstances, related to "long binds," aka Bug Ids 6828462 and 6823593.

Vulnerability Discussion:The Sendmail Consortium has released an update to address a vulnerability affecting Sendmail. Sendmail is the most commonly used Simple Mail Transfer Protocol (SMTP) Server in Unix environments and is packaged with many Unix implementations including Sun Solaris, Hewlett-Packard HP-UX, IBM AIX and RedHat Linux. To exploit this vulnerability, an attacker would present a maliciously crafted certificate to a vulnerable system. If successfully exploited, this vulnerability would allow an attacker to perform man-in-the-middle attacks or impersonate trusted servers resulting in the compromise of affected systems.

At this time, there are known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Null Character Certificate Validation Vulnerability (CVE-2009-4565):Sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Unix - Solaris

Determine the version of the Sendmail software

#telnet localhost 25sendmail should greet you with its welcome message and tell you the version of its binary and config file. Enter QUIT to leave this mode. If this command does not return any version information then

#sendmail -d0.4 -bv rootshould tell you its version and some basic settings.

Upgrade to non-vulnerable version of affected product.
_____________________________________________________________

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities affecting the Linux kernel. Red Hat Network is a complete systems management platform for Linux that's built on open standards and uses a simple, Internet-based graphical interface. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a manner sufficient to escalate privileges. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Rewrite Attack Vulnerability - (CVE-2006-6304) The RHSA-2009:0225 update introduced a rewrite attack flaw in the do_coredump() function. A local attacker able to guess the file name a process is going to dump its core to, prior to the process crashing, could use this flaw to append data to the dumped core file. This issue only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value is 0).

Information Disclosure Vulnerability - (CVE-2009-2910) An information leak was found in the Linux kernel. On AMD64 systems, 32-bit processes could access and read certain 64-bit registers by temporarily switching themselves to 64-bit mode.

Array Index Error Vulnerability (CVE-2009-3080) An array index error was found in the gdth driver. A local user could send a specially-crafted IOCTL request that would cause a denial of service or, possibly, privilege escalation.

N-Port Virtualization Vulnerability - (CVE-2009-3556) The RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support in the qla2xxx driver, resulting in two new sysfs pseudo files, "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete". These two files were world-writable by default, allowing a local user to change SCSI host attributes. This flaw only affects systems using the qla2xxx driver and NPIV capable hardware.

megaraid_sas Driver Permissions Vulnerability - (CVE-2009-3889, CVE-2009-3939) Permission issues were found in the megaraid_sas driver. The "dbg_lvl" and "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable permissions. This could allow local, unprivileged users to change the behavior of the driver.

Buffer Overflow Vulnerability - (CVE-2009-4020):A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls".

FUSE implementation Vulnerability - (CVE-2009-4021):A flaw was found in the FUSE implementation. When a system is low on memory, fuse_put_request() could dereference an invalid pointer, possibly leading to a local denial of service or privilege escalation.

NULL pointer dereference Vulnerability - (CVE-2009-4138):A NULL pointer dereference flaw was found in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with access to /dev/fw* files could issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default, and if enabled, only root has access to the files noted above by default.

fasync_helper() Implementation Vulnerability - (CVE-2009-4141):A deficiency issue was discovered in the fasync_helper() implementation. This could allow a local, unprivileged user to leverage a use-after-free of locked, asynchronous file descriptors to cause a denial of service or privilege escalation.

Multiple Routing Implementation Vulnerabilities - (CVE-2009-4272) The RHSA-2009:1243 update introduced two flaws in the routing implementation. If an attacker was able to cause a large enough number of collisions in the routing hash table (via specially-crafted packets) for the emergency route flush to trigger, a deadlock could occur. Secondly, if the kernel routing cache was disabled, an uninitialized pointer would be left behind after a route lookup, leading to a kernel panic.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:To determine if the kernel patch has been applied perform the following command:

#
rpm -qa |grep kernel |xargs rpm -q --changelog |grep 4272

4272 is the CVE identifier that shows this vulnerability has been addressed.

Vulnerability Discussion:Red Hat has released a security advisory addressing multiple vulnerabilities affecting the Red Hat implementation of HelixPlayer. HelixPlayer is a media player available for Linux, BSD, and Solaris platforms. To exploit these vulnerabilities, a remote attacker would leverage various tactics, techniques and procedures (TTP) against affected systems. If successfully exploited, these vulnerabilities would result in the compromise of affected systems.

At this time, there are known exploits associated with at least one of these vulnerabilities; the JTF-GNO is not aware of any DoD related incidents. HelixPlayer Heap Overflow Vulnerability - (CVE-2009-4242 / CVE-2009-4245): Multiple buffer and integer overflow flaws were found in the way HelixPlayer processed Graphics Interchange Format (GIF) files. An attacker could create a specially-crafted GIF file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened.

Vulnerability Discussion:Adobe has released a security bulletin addressing a vulnerability in multiple Adobe products. To exploit this vulnerability, a remote attacker would create and send a malicious request to the affected application.If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to obtain sensitive information and compromise the affected application .

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Adobe Products XML Processing Vulnerability - (CVE-2009-3960): The vulnerability is caused due to an error when processing incoming requests and can be exploited to disclose files via XML external entity references and injected tags.

Vulnerability Discussion:HP has addressed a vulnerability affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. To exploit this vulnerability, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, this vulnerability would allow a remote attacker to compromise the affected system.

Vulnerability Discussion:Cisco has released an advisory addressing multiple vulnerabilities in Cisco Security Agent. Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems and comes pre-installed in various Cisco products. To exploit these vulnerabilities, an attacker would interact with a vulnerable system in a malicious manner. Successful exploitation of these vulnerabilities would result in the compromise of affected systems.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Management Center for Cisco Security Agents Directory Traversal Vulnerability - (CVE-2010-0146):The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. This vulnerability is documented in Cisco Bug ID CSCtd73275 ( registered customers only).

Management Center for Cisco Security Agents SQL Injection Vulnerability - (CVE-2010-0147):The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability.

Cisco Security Agent Denial of service vulnerability - (CVE-2010-0148):Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets. Cisco Security Agent release 5.2 is affected by the DoS vulnerability.

Note: The Windows and Sun Solaris versions of the Cisco Security Agent are not affected by the DoS vulnerability.

Mitigations:Cisco mitigations

Mitigation Control:Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml

Vulnerability Discussion:Multiple vulnerabilities have been identified that affect the Linux kernel. The Linux kernel is an operating system kernel used by Linux based operating systems. To exploit these vulnerabilities, an attacker would send malicious data to an affected system or interact with a vulnerable system in a malicious manner. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are known exploits associated with at least one of these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Linux Kernel Buffer Overflow Vulnerability - (CVE-2010-0297): Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.

Linux Kernel x86 emulator Vulnerability - (CVE-2010-0298): The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.

Linux Kernel x86 emulator SMP Vulnerability - (CVE-2010-0306): The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.

Linux Kernel PIT Denial of Service Vulnerability - (CVE-2006-0309): The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.

Note: The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for devtmpfs, and therefore are not affected by CVE-2010-0299. See the CVE-2010-0299 Red Hat Bugzilla entry for more information.

Linux Kernel x86 emulator loaded segment selector Vulnerability - (CVE-2010-0419):A flaw was found in the way the x86 emulator loaded segment selectors (used for memory segmentation and protection) into segment registers. In some guest system configurations, an unprivileged guest user could leverage this flaw to crash the guest or possibly escalate their privileges within the guest.

Vulnerability Discussion:McAfee has released a security bulletin addressing a vulnerability in McAfee products. McAfee LinuxShield is an antivirus application available for the Linux platforms. To exploit this vulnerability, an attacker with access to the LinuxShield client system would be able to log into the statistics server and execute commands as the LinuxShield Admin. If successfully exploited, this vulnerability would allow an attacker to compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. McAfee LinuxShield "nailsd" Authentication Vulnerability:This issue involves improper authentication from a LinuxShield client to the LinuxShield statistics server. Current editions allow any user locally on the LinuxShield client system to log into the statistics server and execute commands as the LinuxShield Admin user. The potential results include disabling of the LinuxShield service and potential code execution.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Check for installed app and version with:

# rpm -qa | grep “LinuxShield-“

If installed, must be at least version 1.5.1 with hotfix HF550192 applied.

Vulnerability Discussion:Hewlett-Packard has reported a security vulnerability affecting HP-UX running Network File System (NFS). NFS allows a user on a client computer to access files over a network in a manner similar to how local storage is accessed. This vulnerability can be exploited by a remote attacker via unknown vectors. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to bypass security restrictions and compromise an affected system. Vulnerability (CVE-2010-0145):

A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX. The vulnerability could result in the inadvertent enabling of NFS.

Vulnerability Discussion:VMware has reported multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to comprise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. WebAccess Context Data Cross-site Scripting Vulnerability - (CVE-2009-2277):A cross-site scripting vulnerability in WebAccess allows for disclosure of sensitive information. The flaw is due to insufficient verification of certain parameters which may lead to redirection of a user's requests. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link and the attacker has control of a server on the same network as the system where WebAccess is being used.

WebAccess URL Forwarding Vulnerability - (CVE-2010-0686):The WebAccess component doesn't sufficiently validate user supplied input and allows for forwarding of an incoming request to another destination. The destination will not be able to see the true origin of the request URL but instead will see the address of the machine that runs WebAccess. An attacker could use the forwarding vulnerability to direct traffic at servers while disguising the source location. The security issue is limited to URL forwarding. This vulnerability doesn't allow for a so-called cross-site scripting attack and doesn't allow for stealing of the user cookies.

WebAccess Virtual Machine Name Cross-site Scripting Vulnerability - (CVE-2010-1137):A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to insufficient checking on the names of virtual machines. In order to exploit the issue, the attacker must have control over the naming of a virtual machine and must have the user list this Virtual Machine in WebAccess.

WebAccess JSON Cross-site Scripting Vulnerability - (CVE-2010-1193):A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to incorrect parsing of JSON error messages. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link.

Vulnerability Discussion:VMware has released the security advisory, addressing multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute the arbitrary code or to compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. VMware VMnc Codec Heap Overflow Vulnerabilities - (CVE-2009-1564 and CVE-2009-1565):Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.

VMware Player and Workstation 'vmware-authd' Remote Denial of Service Vulnerability - (CVE-2009-3707):A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited to a crash of authd.

VMware Remote Console 'connect' Method Remote Format String Vulnerability - (CVE-2009-3732):VMware Remote Console (VMrc) contains a format string vulnerability. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed.

VMware 'vmrun' Local Privilege Escalation Vulnerability - (CVE-2010-1139):A format string vulnerability in vmrun could allow arbitrary code execution. If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes.

VMware Hosted Products USB Service Local Privilege Escalation Vulnerability - (CVE-2010-1140):A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges.

VMware Hosted Products VMware Tools Library Reference Remote Code Execution Vulnerability - (CVE-2010-1141):A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.

VMware Hosted Products VMware Tools Local Privilege Escalation Vulnerability - (CVE-2010-1142):A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.

Vulnerability Discussion:TANDBERG has released a security bulletin addressing multiple vulnerabilities in Video Communication Server (VCS). The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution video communications network. To exploit these vulnerabilities, an attacker would send interact with an affected system in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain access to sensitive information and conduct man-in-the-middle attacks. At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. CVE-2009-4509:The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.

Mitigation Control:Mitigation (CVE-2010-4509)Upgrade to firmware version x4.3.0 (or newer) as soon as possible. If this isnot immediately possible, temporary mitigation could be achieved by changingthe $this-secret constant in the following files to something unpredictable:/tandberg/web/lib/secure.php/tandberg/web/user/lib/secure.php

Mitigation (CVE-2010-4510)Immediately replace the current SSH host key with a new one. This maybe accomplished through one of several methods. One approach is tosimply log in to the device locally and use the ssh-keygen utility toreplace the keys stored in /tandberg/sshkeys/. Consult TANDBERGdocumentation for other methods.After replacing the SSH host keys, it is recommended that the VCSfirmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading ordowngrading to versions prior to X5.1.1 will cause any custom SSH hostkeys to be overwritten. Version X5.1.1 and later should preserve anycustom host keys previously installed. As a precaution, after upgradingor downgrading VCS firmwares, verify that the host key has not changed backto the publicly known one with fingerprint:49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8

Targeted to LINUX-only. Determine the version if the SA confirms that it is installed. If the version is listed in the preceding vulnerable systems, this is a finding.
_____________________________________________________________

Vulnerability Discussion:HP has addressed a vulnerability affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (OV NNM) is a fault-management application for IP networks. To exploit these vulnerabilities, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1550): The specific flaw exists within the ovet_demandpoll.exe process. This process can be started by invoking the webappmon.exe CGI application through the webserver. The process calls vnsprintf() directly with the contents of the 'sel' POST variable. By providing a malicious value this format string vulnerability can be leveraged by remote attackers to execute arbitrary code under the context of the ovet_demandpoll.exe process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1551):The specific flaw exists within the Network Monitor (netmon.exe) daemon. This process can be started by invoking the webappmon.exe CGI application through the webserver. When the _OVParseLLA function defined within ov.dll is called from netmon.exe it directly copies the value of the 'sel' POST variable into a fixed-length stack buffer with a call to strcpy(). This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1552): The specific flaw exists within the snmpviewer.exe CGI. The doLoad function in this process calls sprintf() with a %s format specifier and unsanitized user input retrieved from two separate POST variables (act and app). By providing large enough strings a remote attacker can cause a stack-based buffer overflow and eventually execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1553): The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid MaxAge parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1554): The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid iCount POST parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1555):The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid Hostname parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

If the HP OpenView Network Node Manager is installed, determine the version with the rpm (LINUX), swlist (HP) or strings (Solaris) command(s) and if the version is not greater than the above listed version(s), this is a finding.

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities affecting the JBoss Enterprise Application Platform. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a malicious manner. If successfully exploited, these vulnerabilities would allow a remote attacker to bypass security restrictions and gain unauthorized access to sensitive information.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. JMX-Console Web Application Vulnerability - (CVE-2010-0738):The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

Web Console Information Disclosure Vulnerability - (CVE-2010-1428):The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities in VMware Studio. VMware Studio is an application that allows users to create, configure, and deploy VMware virtual applications and appliances. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute the arbitrary code and compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. incidents. VMware Studio 2.0 Remote Command Execution Vulnerability - (CVE-2010-2667):VMware Studio is a development tool to create and manage virtual appliances. VMware Studio itself is a virtual appliance. A vulnerability in the Virtual Appliance Management Infrastructure (VAMI) allows for remote command execution in Studio 2.0 or in virtual appliances created with Studio 2.0. Exploitation of the issue requires authentication to Studio or to the virtual appliance. Studio is by default shipped with the root user account and no other user accounts. For this reason, exploitation of the vulnerability would not yield any gain for an attacker since the attacker would need to know the credentials of the root user account in order to launch an attack. If an attacker knows the credentials of the root user, the attacker will have other avenues to compromise Studio. In case another user account with limited privileges has been added to Studio, the exploitation of the issue may lead to remote command execution by the attacker. The attacker would still need to know the credentials of the additional user account in order to launch an attack.

VMware Studio 2.0 local privilege escalation vulnerability - (CVE-2010-2427):VMware Studio is a development tool to create and manage virtual appliances. VMware Studio itself is a virtual appliance. A vulnerability in the way temporary files are written may lead to a privilege escalation in Studio 2.0. Exploitation of the issue requires authentication to the system running Studio. Virtual appliances created with Studio 2.0 are not affected. Studio is by default shipped with the root user account and no other user accounts. For this reason, exploitation of the vulnerability would not yield any gain for an attacker since the attacker would need to know the credentials of the root user account in order to launch an attack. If an attacker knows the credentials of the root user, the attacker will have other avenues to compromise Studio.

Vulnerability Discussion:<P>Citrix has released two security bulletins addressing vulnerabilities in Citrix Online Plug-Ins and ICA Clients. Citrix Online Plug-Ins and ICA Clients provide users with access to Citrix products like XenApp and XenDesktop servers. To exploit these vulnerabilities, an attacker would entice a user to access a malicious or compromised website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code on the client device in the context of the logged in user. </P><P>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. </P>

Vulnerability Discussion:Cisco has released an advisory addressing a vulnerability affecting the Cisco Wireless Control System (WCS). Cisco WCS enables an administrator to configure and monitor one or more Wireless LAN Controllers (WLC) and associated access points. To exploit this vulnerability, a remote attacker would execute a SQL injection attack. If successfully exploited, a remote attacker would allow an authenticated attacker to modify system configuration, create/modify/delete users or modify the configuration of wireless devices managed by WCS.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. SQL Injection Vulnerability - (CVE-2010-2826):A SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens.

Mitigation Control:Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100811-wcs.shtml.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Vulnerable Systems:Cisco WCS 6.0.x prior to 6.0.196.0Note: Cisco WCS software release 7.0 is not affected by this vulnerability. Cisco WCS version 7.0.164.0 (which is the first 7.0 version) already contains the fix for this vulnerability. Cisco WCS software releases prior to 6.0 are not affected by this vulnerability.

The version of WCS software installed on a particular device can be found via the Cisco WCS HTTP management interface. Choose Help > About the Software to obtain the software version. If the installed version does not meet the criteria of the “Vulnerable Systems” section above, this is a finding.

Vulnerability Discussion:Multiple vulnerabilities have bee report in VxWorks. VxWorks is a real-time operating system that can be used in embedded systems. This vulnerability can be exploited by remote attackers utilizing various tactics, techniques and procedures (TTP). If successfully exploited, attackers may leverage this issue to bypass system security and compromise the affected system

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. VxWorks Security-Bypass Vulnerability - (CVE-2010-2965): VxWorks is vulnerable to a security-bypass vulnerability because it runs a system-level debugger (WDB agent) on UDP port 17185 without any requirement for authentication. A remote attacker can exploit this vulnerability to read/write memory, call functions, and manage tasks. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

VxWorks Password Hashing Algorithm Vulnerabilities - (CVE-2010-2966, CVE-2010-2967, CVE-2010-2968): The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. An attacker with a known username and access to a service (telnet, rlogin or FTP) that uses the standard authentication API (loginDefaultEncrypt (), part of loginLib) can brute force the password in a relatively short period of time. Since the hashing algorithm is susceptible to collisions, the actual password does not have to be found, just a string that produces the same hash.

Mitigations:VxWorks workarounds

Mitigation Control:Wind River has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

VxWorks Security-Bypass Vulnerability Disable debug agent

Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB INCLUDE_DEBUG components from their VxWorks Image. Restrict accessAppropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

VxWorks Password Hashing Algorithm Vulnerability Vendors which use VxWorks in their products should not use the default hashing algorithm in standard authentication API (loginDefaultEncrypt()). A trusted authentication API should be used instead. It can be installed by means of the loginEncryptInstall() loginLib hook.

In addition, and so as to avoid registration of the default target/password credentials at init time, the LOGIN_USER_NAME and LOGIN_USER_PASSWORD project parameters/#defines should be set to empty strings (so that no user is registered using the default encryption routine). Only after the new encryption routine is registered should new users be added to the system.

loginEncryptInstall allows the user to install a custom encryption routine. The custom routine rtn must be of the following form:

LOCAL STATUS fixed_sha ( char* password, char* encryptedpassword ) { /* * IMPORTANT : This test routine should be replaced by a real SHA * generator. Because of the fixed digest, the current version does not * perform actual user validation (i.e all passwords are accepted for user * vincent). */

strcpy (encryptedpassword, cryptSha); return OK; }

Restrict accessAppropriate firewall rules should be implemented to restrict access to any services that use the standard authentication API.

Disable servicesServices such as FTP or telnet should be disabled if not needed.

Monitor accessIDS signatures should be implemented to detect brute force attacks to services that use the standard authentication API.

Vulnerability Discussion:A privilege escalation vulnerability has been identified in the Linux kernel. The Linux kernel is an operating system kernel used by Linux based operating systems. To exploit this vulnerability, an attacker would interact with an affected system in a malicious manner to exploit this vulnerability. If successfully exploited, this vulnerability would allow escalation of privileges resulting in the compromise of an affected systems.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. 64-bit Compatibility Mode Stack Pointer Underflow - (CVE-2010-3081):The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges.

Per Mitre.org, note that CVE-2010-3081 covers the following: Linux kernels before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer.

Vulnerability Discussion:The Bzip organization has addressed a vulnerability affecting the bzip2 application. bzip2 is a free open source data compressor commonly used in Linux and Unix operating systems. To exploit this vulnerability, a remote attacker send a malicious request to a vulnerable application. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code in the context of the current user or cause a denial-of-service condition.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. bzip2 "BZ_decompress" Integer Overflow Vulnerability - (CVE-2010-0405):The vulnerability is caused due to an integer overflow in the "BZ2_decompress()" function in decompress.c and can be exploited to cause a crash or potentially execute arbitrary code.

Vulnerability Discussion:TANDBERG has addressed a vulnerability in the MPX series Video Conferencing Device . The Video Conferencing Device is a set of interactive telecommunication technologies that allow two or more locations to interact using video and audio transmissions simultaneously. To exploit this vulnerability, an attacker would send malicious SNMP packets with spoofed source IP addresses to the affected system. If successfully exploited, this vulnerability would allow an attacker to deny service to legitimate user resulting in a denial of service conditions.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. TANDBERG MXP Series Endpoint SNMP Denial of Service Vulnerability:The vulnerability exists due to improper packet handling in the implementation of SNMP by the software. If the source IP of the requestor is spoofed, the affected firmware erroneously sends an SNMP packet response to itself. An unauthenticated, remote attacker could exploit this vulnerability by submitting crafted SNMP packets with spoofed source IP addresses to the affected device. Processing such packets could result in a loop within the software until the memory resources are consumed. A successful exploit could cause the affected device to stop responding, resulting in a DoS condition.

Targeted to endpoints running LINUX-only. Request that the SA determine whether or not this product is installed and if so, the version. If the version is not greater than or equal to the version listed in the preceding vulnerable systems, this is a finding.
_____________________________________________________________

Vulnerability Discussion:<P>Oracle has released their quarterly Critical Patch Update Advisory for October 2010 addressing multiple vulnerabilities in Oracle VM. These vulnerabilities are not remotely exploitable without authentication. If successfully exploited, this vulnerability would allow a remote attacker to completely compromise the affected system.</P><P>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.</P>

Vulnerability Discussion:Intel has released a security advisory addressing a privilege escalation vulnerability in Intel Xeon Baseboard Management Component (BMC) firmware. To exploit this vulnerability, a remote attacker would utilize various tactics, techniques and procedures (TTP). If successfully exploited, this vulnerability would allow a remote attacker the ability to deny service to legitimate users, escalate privileges and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Baseboard Management Component Privilege Escalation Vulnerability:Under certain circumstances a privilege escalation issue is present in the Baseboard Management Component (BMC) firmware for Intel Xeon 5500, 5600 Series products. A knowledgeable remote malicious attacker could leverage this issue to deny service to legitimate users. This issue was found during internal validation testing and Intel has not received any reports of it being exploited externally.

There are multiple ways of telling what your current version of BMC firmware. You can use any one of the following methods:

Reboot or power cycle the system. During POST after video comes up press F2 to go into Setup. After you are in setup use the right or left arrow keys to select the Server Management tab. Then use the down arrow to highlight System Information and then press enter.

Use the sysconfig utility that comes with the Intel® Deployment Assistant CD that came with your system. Command to run: sysconfig /i

BMC
Fix included in this version or higher Intel Xeon 5500 Series BMC Firmware
00.53 or higher Intel Xeon 5600 Series BMC Firmware
00.53 or higher

The lshw command is a tool to extract detailed information on the hardware configuration of the machine running Linux. It can report exact memory configuration, firmware version, main board configuration, CPU version and speed, cache configuration, bus speed, etc. For Solaris, prtdiag or psrinfo should provide similarly formatted information.

Check for the XEON BMC version by perform the following:

# lshw | more

OR for Solaris:

# prtdiag -v # psrinfo -v

If applicable (IE: XEON BMC), and the version does not meet the minimum requirements and/or exceed the above version(s) listed in the “Vulnerable Systems” section, this is a finding.
_____________________________________________________________

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or elevate privileges from a host OS.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. VMware VMnc Codec frame decompression Remote Code Execution Vulnerability - (CVE-2010-4294):A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.

Check Content:Windows - See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:VMware Workstation 7.1.1 and earlierVMware Workstation 6.5.4 and earlierVMware Player 3.1.1 and earlierVMware Player 2.5.4 and earlier

View the About “Product” from the menu to view version and build numbers.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista and later). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities affecting the JBoss Enterprise Application Platform. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a malicious manner. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code on the affected system and cause denial of service conditions.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. JBoss Drools Input Sanitization Vulnerability - (CVE-2010-3708):An input sanitization vulnerability was found in the way JBoss Drools implemented certain rule base serialization. If a remote attacker supplied specially-crafted input to a JBoss Seam based application that accepts serialized input, it could lead to arbitrary code execution with the privileges of the JBoss server process.

JMX-Console Cross-Site Request Forgery (CSRF) Vulnerability - (CVE-2010-3878):A Cross-Site Request Forgery (CSRF) vulnerability was found in the JMX Console. A remote attacker could use this vulnerability to deploy a WAR file of their choosing on the target server, if they are able to trick a user, who is logged into the JMX Console as the admin user, into visiting a specially-crafted web page.

JBoss Remoting Denial of Service Vulnerability - (CVE-2010-3862):A vulnerability was found in the JBoss Remoting component. A remote attacker could use specially-crafted input to cause the JBoss Remoting listeners to become unresponsive, resulting in a denial of service condition for services communicating via JBoss Remoting sockets.

Vulnerability Discussion:<P>Citrix has reported a cross scripting vulnerability affecting certain versions of Citrix Web Interface. The Web Interface is an application deployment system that provides users with access to applications through a standard Web browser. To exploit this vulnerability, an attacker would entice a user to follow a malicious URI sent via email or hosted on a webpage. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code in the user's browser in the context of the affected system and gain access to sensitive information.</P><P>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents</P>

Vulnerability Discussion:<P>Hewlett Packard has released a customer advisory addressing a vulnerability in HP StorageWorks Systems. HP StorageWorks is a storage array solution. To exploit this vulnerability, an attacker would take advantage of a hidden default administrator account for malicious purposes. Successful exploitation of this vulnerability would result in the complete compromise of affected systems. </P><P>At this time, the default admin account name and password are publicly disclosed; USCYBERCOM is not aware of any DoD related incidents. </P>

Vulnerability Discussion:Hewlett-Packard has released a security bulletin addressing a vulnerability affecting various HP LaserJet printers. To exploit this vulnerability, an attacker would send a malicious URI request to an affected system. If successfully exploited, this vulnerability would allow an attacker to gain access to sensitive information.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP LaserJet Printers PJL Directory Traversal Vulnerability - (CVE-2010-4107):A potential security vulnerability has been identified with HP LaserJet MFP printers, HP Color LaserJet MFP printers, and certain HP LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to files.

Note: System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions. Implementation of the recommended mitigation will constitute compliance with this IAVB.

Vendor Recommended MitigationFiles within the printer can be accessed using the Printer Job Language (PJL) interface to exploit a directory traversal vulnerability. The vulnerability can be avoided by either one of the following actions: ? disable file system access via the PJL interface ? set a PJL password

This “is not” currently an HP-UX/UNIX vulnerability but it is an HP print/printer vulnerability. For HP-UX, this is not applicable. However it can be determined what, if any, printers are enabled/spooled using the HP-SMH or the command-line command:

Vulnerability Discussion:IBM has addressed a vulnerability affecting IBM WebSphere Service Registry and Repository. The IBM WebSphere Service Registry and Repository is a platform that can communicate with IBM Rational Asset Manager on any of its supported platforms to include Sun Solaris, HP-UX, Linux , Microsoft, and IBM AIX platforms To exploit this vulnerability, a remote attacker would use various tactics, techniques and procedures to compromise the affected system. If successfully exploited, this vulnerability would allow a remote attacker to compromise the confidentiality, integrity and/or availability of affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. IBM WebSphere Service Registry and Repository Vulnerability - (CVE-2011-2644):WebSphere Service Registry and Repository could allow a remote attacker to bypass authentication restrictions, caused by improper validation in the EJB access control. By using the API, an attacker could exploit this vulnerability to bypass authentication and gain access to governance activities on the vulnerable governance EJB.

Vulnerability Discussion:IBM has addressed multiple vulnerabilities in IBM DB2. IBM DB2 is a relational database management system produced by IBM capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. To exploit this vulnerability, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, cause a denial of service condition or escalate privileges on the affected system.

Vulnerability Discussion:IDA Pro has addressed multiple vulnerabilities affecting IDA Pro. IDA Pro is a debugger and disassembler available for multiple operating platforms. To exploit these vulnerabilities, the attacker would send a malicious Mach-0 file to an affected system and entice a user to access the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the affected application.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Vulnerability Discussion:IBM has reported multiple vulnerabilities in IBM Tivoli Access Manager. IBM Tivoli Access Manager is an authentication and authorization solution for corporate web services, operating systems, and existing applications. Tivoli Access Manager runs on various operating system platforms such as Unix (AIX, Solaris, HP-UX), Linux and Microsoft Windows. To exploit these vulnerabilities, an attacker would submit a URI that contains directory-traversal characters to point to an arbitrary file on the web server which would return unauthorized sensitive information to the attacker. If successfully exploited, these vulnerabilities would allow an attacker to deny service to legitimate users, gain unauthorized access to sensitive information and execute arbitrary code resulting in the compromise of the affected systems

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Directory traversal vulnerability (CVE-2011-0494):Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 5.1 before 5.1.0.39-TIV-AWS-IF0040, 6.0 before 6.0.0.25-TIV-AWS-IF0026, 6.1.0 before 6.1.0.5-TIV-AWS-IF0006, and 6.1.1 before 6.1.1-TIV-AWS-FP0001 has unspecified impact and attack vectors. NOTE: this might overlap CVE-2010-4622.

List the current version of Tivoli Access Manager components installed on the system. This command is located in the /opt/PolicyDirector/sbin/ (default installation) directory on UNIX systems. See example output directly below:

Vulnerability Discussion:Apache has addressed a denial of service vulnerability in Apache Portable Runtime (APR) and Apache Portable Runtime Utility. Apache APR is a library of utility functions used by several applications, including the Apache HTTP server. To exploit this vulnerability, a remote attacker would submit a malicious request in the form of a crafted URI. Successful exploitation of this vulnerability would result in a denial of service condition on affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Apache Denial of Service Vulnerability - (CVE-2011-1928):The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

Vulnerability Discussion:IBM has addressed a remote code execution vulnerability in the IBM Tivoli Management Framework. IBM Tivoli Management Framework is the foundation for a suite of management applications that facilitates enterprise network and system management. To exploit this vulnerability, a remote attacker would send a malicious request to a vulnerable IBM Tivoli Endpoint. If successfully exploited, this vulnerability would allow an attacker to compromise of affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. IBM Tivoli Endpoint Buffer Overflow Vulnerability - (CVE-2011-1220):Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field. The specific flaw exists within the lcfd.exe process which listens by default on TCP port 9495. To reach this page remotely authentication is required. However, by abusing a built-in account an attacker can access the restricted pages. While parsing requests to one of these, the process blindly copies the contents of a POST variable to a 256 byte stack buffer. This can be leveraged by a remote attacker to execute arbitrary code under the context of the SYSTEM user.

Mitigations:IBM workaround

Mitigation Control:IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

WorkaroundIn case it is not possible to apply the patch quickly, you can work around the issue by disabling the function to change the configuration from a web browser. Use either of the following values for the http_disable configuration option on the endpoint:

1 Anyone can use a browser to view the configuration data, but no one can use a browser to reconfigure the endpoint. 2 No one can use a browser to view or reconfigure the endpoint.

Follow these steps to change the http_disable configuration option on the endpoint:

To determine the version of Tivoli Storage Manager using the graphical user interface click on Help and choose About TSM

In case it is not possible to apply the patch quickly, you can work around the issue by disabling the function to change the configuration from a web browser. Use either of the following values for the http_disable configuration option on the endpoint:

"1" Anyone can use a browser to view the configuration data, but no one can use a browser to reconfigure the endpoint. "2" No one can use a browser to view or reconfigure the endpoint.

Follow these steps to change the http_disable configuration option on the endpoint:

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities affecting various VMware products. To exploit these vulnerabilities, attackers would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.

At this time, there are known exploits associated with some of the identified vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. e1000 Driver Packet Filter Bypass Vulnerability - (CVE-2009-4536):There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters

SCSI Driver Denial of Service / Possible Privilege Escalation Vulnerability - (CVE-2009-3080):A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers.

IPv4 Remote Denial of Service Vulnerability - (CVE-2010-1188):An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code.

Mount.vmhgfs Privilege Escalation Vulnerability - (CVE-2011-2145):Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems.

Mount.vmhgfs Information Disclosure Vulnerability - (CVE-2011-2146):Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions.

Mount.vmhgfs Privilege Escalation Vulnerability - (CVE-2011-1787):Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory.

VI Client Memory Corruption Vulnerability - (CVE-2011-2217):VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user.

Vulnerability Discussion:Adobe has released a security bulletin addressing multiple vulnerabilities in LiveCycle and BlazeDS. To exploit these vulnerabilities, a remote attacker would create a malicious document and entice a user of an affected system to access the document. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise an affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Adobe LiveCycle and BlazeDS Deserialization Vulnerability - (CVE-2011-2092):Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of classes during deserialization of (1) AMF and (2) AMFX data, which allows attackers to have an unspecified impact via unknown vectors, related to a "deserialization vulnerability."

Adobe LiveCycle and BlazeDS Denial of Service Vulnerability - (CVE-2011-2093):Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly handle object graphs, which allows attackers to cause a denial of service via unspecified vectors, related to a "complex object graph vulnerability."

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Massachusetts Institute of Technology (MIT) has addressed a vulnerability affecting MIT Kerberos 5 (krb5) in the FTP daemon. Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. An authenticated remote user can gain unauthorized read or write access to files whose group owner is the initial effective group ID ofthe FTP daemon process. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access to the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. MIT Kerberos krb5-appl FTP Daemon EGID Remote Privilege Escalation Vulnerability - (CVE-2011-1526):The vulnerability results from two interacting flaws: omission of required autoconf tests, causing krb5_setegid() to always fail, and the FTP daemon's failure to check for the successful execution of krb5_setegid().

The FTP daemon calls the portability macro krb5_setegid() from k5-util.h, which is intended to wrap or emulate the POSIX interface setegid(). The definition of the macro depends on macros that the autoconf configure script defines (based on tests of the target platform environment) when it runs. When the krb5 application programs moved out of the main krb5 source tree, the new configure script inadvertently omitted the necessary autoconf tests for setegid() and related legacy interfaces. If no setegid() equivalent appears to exist on the system, k5-util.h defines krb5_setegid() to always fail with errno EPERM. Since the relevant autoconf tests never execute, k5-util.h will always define krb5_setegid() to fail.

The FTP daemon does not check the return value of krb5_setegid(), so it silently fails to set its effective GID, allowing users to gain unauthorized access using the effective GID that the daemon process started with.

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities affecting JBoss products that use JBoss Seam 2 framework. The JBoss Seam 2 framework is an application framework for building web applications in Java. To exploit these vulnerabilities, an attacker would send a malicious web link to an affected application that uses the JBoss Seam framework. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code resulting in the complete compromise of affected systems.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

JBoss Seam Expression Language (EL) Remote Code Execution Vulnerability - (CVE-2011-2196):JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this vulnerability to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: this vulnerability exists because of an incomplete fix for CVE-2011-1484.

Vulnerability Discussion:Sybase has addressed multiple vulnerabilities affecting Sybase products. To exploit these vulnerabilities, an attacker would utilize various tactics, techniques and procedures. If successfully exploited, these vulnerabilities would allow an attacker to compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Sybase Malformed TDS Vulnerability: An array indexing vulnerability within Sybase Backup and Monitor when handling certain login packets can be exploited to corrupt memory. The specific flaw exists within the way Sybase Backup and Monitor servers handle certain data in the login packets. Malformed packets can cause the service in question to lookup a function pointer outside a predefined function pointer array. It is possible to set this function pointer to an address where user controlled data exists and this will result in code execution under the rights of the user running the Monitor Server.

Sybase Login packet Vulnerability:A vulnerability within Sybase Backup and Monitor server when handling certain login packets can be exploited to write a NULL byte to an arbitrary memory location on the stack. The specific flaw exists within the way Sybase Backup and Monitor servers handles certain data in the login packets. Malformed packets can cause the service in question to write a NULL byte on the stack which can be leveraged by a remote attacker to execute code under the context of the running service.

Note: Within the ASE Bundle, only the supplemental servers are affected. That is Backup Server, Monitor Server, Historical Server, XP Server, and Job Scheduler. The ASE Server itself is not affected by this issue.

Vulnerability Discussion:Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP Network Automation running on Linux, Solaris, and Windows Platforms. HP Network Automation is an application for managing network data. To exploit these vulnerabilities, an attacker would send malicious requests to an affected application or entice a user to view malicious data sent via email or hosted on a website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise of affected systems.

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. HP Network Automation Unspecified Cross Site Scripting Vulnerability - (CVE-2011-2402):Certain unspecified vulnerability is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

HP Network Automation SQL Injection Vulnerability - (CVE-2011-2403):Certain unspecified vulnerability is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vulnerability Discussion:Hewlett-Packard (HP) has addressed a vulnerability affecting HP OpenView Operations Manager. HP Operations Manager is an application for managing IT infrastructure. To exploit this vulnerability, an attacker would send malicious requests to an affected system. If successfully exploited, this vulnerability would allow a remote unauthenticated attacker to delete arbitrary files on the affected system.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Vulnerability Discussion:Hewlett Packard has addressed a vulnerability affecting HP OpenView Data Protector in the media management daemon (mmd). HP OpenView Data Protector is a commercial data-management product for backup and recovery operations. To exploit this vulnerability, an attacker would send a malicious request to the affected application. If successfully exploited, this vulnerability would allow a remote attacker to cause a denial of service condition.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP Data Protector Media Management Daemon (mmd) Denial of Service Vulnerability - (CVE-2011-2399):A potential security vulnerability has been identified with HP Data Protector's Media Management Daemon (mmd). The vulnerability could be remotely exploited to create a Denial of Service (DoS).

Vulnerability Discussion:Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP SiteScope. HP SiteScope is an agentless monitoring application for IT infrastructures. To exploit these vulnerabilities, an attacker would entice a user to view a malicious HTML file sent via email or hosted on a website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise an affected system.

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. HP SiteScope Unspecified Cross Site Scripting Vulnerability - (CVE-2011-2400):Certain unspecified vulnerability is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

HP SiteScope Unspecified Session Fixation Vulnerability - (CVE-2011-2401):A vulnerability in the handling of sessions can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.

Vulnerability Discussion:Adobe has released a security bulletin addressing a vulnerability in Adobe Flash Media Server. To exploit this vulnerability, a remote attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition and compromise the affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Adobe Flash Media Server Memory Corruption Remote Denial of Service Vulnerability - (CVE-2011-2132):A critical vulnerability has been identified in Adobe Flash Media Server (FMS) 4.0.2 and earlier versions, and Adobe Flash Media Server (FMS) 3.5.6 and earlier versions for Windows and Linux. The vulnerability could allow an attacker, who successfully exploits the vulnerability, to cause a denial of service on the affected system.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Windows – Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Check the application’s version number:Windows - Open "Flash Media Administration Console" from start->All Programs->Adobe->Flash Media Server. Click on Flash Media Server and login using your credentials. After login click on "Manage Servers" then click on "License", one will be able to see which version and which edition of Flash Media Server is installed.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Symantec has released a security advisory addressing buffer overflow vulnerabilities in various Symantec products. To exploit these vulnerabilities, an attacker would create and send a malicious request to an affected system. If successfully exploited, these vulnerabilities would allow the remote attacker to execute arbitrary code with system level privileges resulting in the compromise of affected systems. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:Symantec workaroundSymantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlyingvulnerability, they may be used to help block known attack vectors until fix actions can be completed.

WORKAROUND:Until patches are available and/or applied, customers are advised to implement the following workaround to protect their installations:

Disable Veritas Enterprise Administrator (vxsvc) service via the following commands:

Note: Product versions prior to those listed above are NOT supported. Customers running legacy product versions should upgrade and apply available updates. Symantec FileStore (SFS) is not affected in the default configuration.

Check the application’s version number by using the Help & Support, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Note: System administrators should refer to the Symantec Security Advisory to determine affected applications/system and appropriate fix actions.

Check Content:Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Temporary Mitigation StrategiesSymantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

WORKAROUND:Until patches are available and/or applied, customers are advised to implement the following workaround to protect their installations:

Disable Veritas Enterprise Administrator (vxsvc) service via the following commands:

Vulnerability Discussion:Red Hat has addressed a vulnerability in various JBoss products that use JBoss Web Services Native component. JBoss Web Services Native is a web service framework included as part of JBoss Enterprise Application Platform. It implements the JAX-WS specification. To exploit this vulnerability, an attacker would send a malicious request to an affected web service that uses JBoss Web Services Native component. If successfully exploited, this vulnerability would allow an attacker to cause excessive CPU and memory resources on the affected system, denying service to legitimate users.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. JBossWS Native Remote Denial of Service Vulnerability - (CVE-2011-1483):A vulnerability was found that JBoss Web Services Native did not properly protect against recursive entity resolution when processing Document Type Definitions (DTD). A remote attacker could exploit this vulnerability by sending a specially-crafted HTTP POST request to a deployed web service, causing excessive CPU and memory consumption on the system hosting that service. If the attack is repeated to consume all available network sockets, the server will become unavailable. This vulnerability did not affect systems using JBoss Web Services CXF.

Note: Due to the number of platforms affected by this vulnerability system administrators should refer to the Red Hat security advisories in the reference section above to determine affected applications/system and appropriate fix actions. Before applying any update, make sure all previously-released errata relevant to your system have been applied.
_____________________________________________________________

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for October 2011 addressing multiple vulnerabilities in Oracle Linux. This Critical Patch Update contains one new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. This Critical Patch Update contains one new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This risk matrix only includes fixes for Oracle proprietary components of Oracle Linux. All other Oracle Linux fixes are announced in the El-errata Archives.

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Server 4.1 and vCenter Update Manager 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.<br><br>At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Note: System administrators should refer to the HP Security Bulletin in the reference section above to determine affected applications/system and appropriate fix actions. Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Check Content:Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerability Discussion:Adobe has addressed a vulnerability in various versions of Adobe Flex SDK. Adobe Flex is a software development kit enabling development and deployment of cross-platform applications based on the Adobe Flash platform. To exploit this vulnerability, an attacker would entice a user to follow a malicious URI. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code in the context of the affected site.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Adobe Flex SDK Cross Site Scripting Vulnerability - (CVE-2011-2461):An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:

Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.

Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable. To determine whether an application is vulnerable, customers should use the SWF patching tool described in the Adobe Technote.

This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided in the Adobe Technote in the "Reference" section above.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerability Discussion:Hewlett-Packard has addressed a vulnerability affecting various HP LaserJet printers and Digital Senders. To exploit this vulnerability, a remote attacker would send a malicious request to TCP port 9100 to update the HP device with malicious firmware. If successfully exploited, this vulnerability would allow a remote attacker to bypass security restrictions.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Red Hat has addressed a vulnerability in various JBoss products. To exploit this vulnerability, an attacker would utilize various tactics, techniques, and procedures to compromise an affected system. If successfully exploited, this vulnerability would allow an attacker to bypass security restrictions and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. JBoss 'mod_cluster' Security Bypass Vulnerability - (CVE-2011-4608):Part of the Native components for JBoss Enterprise Web Platform is mod_cluster, an Apache HTTP Server (httpd) based load balancer. Like mod_jk, it uses a communication channel to forward requests from httpd to an application server node. The mod_cluster allowed worker nodes to register on any virtual host (vhost), regardless of the security constraints applied to other vhosts. In a typical environment, there will be one vhost configured internally for worker nodes, and another configured externally for serving content. A remote attacker could use this flaw to register an attacker-controlled worker node via an external vhost that is not configured to apply security constraints, then use that worker node to serve malicious content, intercept credentials, and hijack user sessions.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Check Content:Unix - Solaris

Determine the version of the adobe acrobat software

#java -version

If the jboss version is not the vendor's latest version, this is a finding.
_____________________________________________________________

Vulnerability Discussion:Hewlett-Packard (HP) has addressed a vulnerability affecting HP Network Automation running on Linux, Solaris, and Windows platforms. HP Network Automation is an application for managing network data. To exploit this vulnerability, an attacker would utilize various tactics, techniques, and procedures to compromise an affected system. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access and compromise the affected application.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP Network Automation Running on Linux, Solaris, and Windows, Remote Unauthorized Access - (CVE-2011-4790):A potential security vulnerability has been identified with HP Network Automation running on Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access.

Vulnerability Discussion:Cisco has released a security advisory addressing multiple vulnerabilities in Cisco Unity Connection. Cisco Unity Connection is a feature-rich voice messaging platform that runs on the same Linux-based Cisco Unified Communications Operating System that is used by Cisco Unified Communications Manager. To exploit these vulnerabilities, an attacker would send a sequence of TCP segments to an affected system or interact with an affected application. If successfully exploited, these vulnerabilities would allow an attacker to gain elevated privileges or cause a denial-of-service condition. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. VMS.Business.Tasks.IVAMService.Schemas.techOverviewType

Vulnerability Discussion:RSA has addressed a buffer overflow vulnerability in the RSA SecurID Software Token Convertor. RSA SecurID Software Token
Converter is a command line utility that converts a software token file (SDTID file) from XML format to a Compressed Token Format. To exploit
this vulnerability, an attacker would entice a user to open a malicious file sent via email or hosted on a website. If successfully exploited,
this vulnerability would allow an attacker to execute arbitrary code, resulting in a denial of service condition. At this time, there are no
known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:<SPAN class=style4>IBM has addressed multiple vulnerabilities in IBM DB2. <SPAN class=style2>IBM DB2 is a relational database management system produced by IBM capable of running on various platforms to include:&nbsp; AIX, HP-UX, Linux, Solaris and Windows. </SPAN>To exploit these vulnerabilities, an attacker would send&nbsp;a malicious request to an affected system.&nbsp; If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions, cause a denial of service condition or escalate privileges on the affected system.</SPAN><BR><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400"><FONT size=2><FONT size=3>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents</FONT>.</FONT></SPAN></SPAN>

Vulnerability Discussion:VMware has released a Security Advisory addressing a cross-site request forgery vulnerability in VMware vShield. VMware vShield is a single management framework for securing virtual datacenters and cloud environments at all levels. To exploit this vulnerability, an attacker would entice a user of an affected system to access a malicious link. If successfully exploited, this vulnerability would allow an attacker to hijack authentication of arbitrary users and compromise affected systems.At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. VMS.Business.Tasks.IVAMService.Schemas.techOverviewType

Vulnerability Discussion:Hewlett Packard has released a security bulletin addressing multiple vulnerabilities in HP Onboard Administrator. HP Onboard Administrator is an application used for remote and local administration of HP BladeSystem infrastructures. To exploit these vulnerabilities, an attacker would utilize various TTP's (Tactics, Techniques and Procedures). If successfully exploited, these vulnerabilities would allow the attacker to gain access to sensitive data, bypass security restrictions, cause denial of service condition, or redirect a user to a malicious site. At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP Onboard Administrator (OA) v3.50 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:RealNetworks has addressed multiple vulnerabilities affecting the RealNetworks Helix Server and Helix Mobile Server. Helix Server is a multiformat, cross-platform streaming server. To exploit these vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain access to sensitive information, conduct cross-site scripting attacks, cause a denial of service condition, and compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:RealNetworks has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed. -
CVE-2012-1923 -Part 1 clear text passwords: The workaround is to initially change the permissions of the folder that contains authentication databases to be restricted to only administrators. This will encrypt the password for all newly stored passwords. Existing accounts must be updated with a new password to encrypt the password using Digest.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Helix Server / Helix Mobile Server version 14.3 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:OpenSSL has addressed multiple vulnerabilities affecting various versions of OpenSSL. OpenSSL is an open-source implementation of SSL and TLS protocols used to encrypt transmission of data between web browsers and web servers. OpenSSL is designed to enable secure communications over an insecure network such as the Internet. To exploit these vulnerabilities, an attacker would establish a malicious server and entice the user to open the vulnerable application or use a man-in-the-middle attack to intercept traffic to a legitimate server. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. At this time, there is a proof-of-concept exploit associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Responsibility:System AdministratorIAControls:ECMT-1, ECMT-2, VIVM-1

Check Content:Unix

Determine the version of the OpenSSL software.

Procedure:

#openssl version

If the OpenSSL version is not at least 1.0.1a or the vendor's latest version, this is a finding.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

OpenSSL 1.0.1a or laterOpenSSL 1.0.0i or laterOpenSSL 0.9.8w or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:<FONT size=2><SPAN class=style4>Sourcefire has released a security bulletin addressing multiple security vulnerabilities in Defense Center.&nbsp; Sourcefire Defense Center is an interface for categorizing events, generating recurring reports, scheduling automated Snort rule updates, configuring policies, and displaying customizable dashboards.&nbsp; To exploit these vulnerabilities, an attacker would craft a malicious HTTP/HTML request or script code and send it to the target device.&nbsp; If exploited, the attacker could download configuration information, download arbitrary files, or gain excess database permissions and compromise the system.</SPAN><BR><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400">At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.</SPAN></SPAN></FONT>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<B><FONT size=2>Sourcefire&nbsp;has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</FONT></B> - <P><SPAN style="FONT-WEIGHT: 400"><SPAN class=style5><SPAN class=style8><U><FONT size=2></FONT></U></SPAN></SPAN></SPAN>&nbsp;</P><P><SPAN style="FONT-WEIGHT: 400"><SPAN class=style5><SPAN class=style8><U><FONT size=2>Mitigation:</FONT></U></SPAN><STRONG><BR></STRONG><FONT size=2>Customers, who do not already restrict administrative access to the Defense Center or sensor UI and management ports through the built-in access lists, should restrict access to port 443 to only administrative users from trusted networks.</FONT></SPAN></SPAN></P>

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Hewlett Packard has released a security bulletin regarding multiple vulnerabilities in HP Insight Manager. HP Insight Manageris a tool which assists administrators in managing HP servers. To exploit these vulnerabilities, an attacker would craft a malicious URI orwebpage and entice a user to access the page. If successfully exploited, the attacker would gain unauthorized-access, escalated privileges,access to privileged information, bypass security restrictions, or redirect the user to a malicious site to aid in phishing attacks andcompromise the affected system. At this time, there are known exploits associated with some of these vulnerabilities; USCYBERCOM is notaware of any DoD related incidents.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP System Insight Manager v7.0 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Hewlett Packard (HP) has addressed multiple vulnerabilities affecting HP System Management Homepage (SMH). To exploit these
vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs). If successfully exploited, these vulnerabilities
would allow an attacker to execute arbitrary code, gain access to sensitive information, bypass security restrictions and/or cause a denial
of service condition on affected systems. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not
aware of any DoD related incidents.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP SMH v7.0 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Cisco has identified multiple vulnerabilities associated with Cisco AnyConnect. Cisco AnyConnect Secure Mobility Client (previously known as the Cisco AnyConnect VPN Client) is a Virtual Private Network (VPN) client that can be installed and launched from within a web browser. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.At this time, there is a known exploit associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Vulnerability Discussion:<SPAN class=style4><SPAN><SPAN class=style2>Cisco has addressed a security bypass vulnerability affecting the Cisco Application Control Engine (ACE) .&nbsp; The Cisco&nbsp;ACE&nbsp;is a load-balancing and application-delivery solution for data centers.&nbsp; To exploit this vulnerability, an attacker would create and send malicious packets to an affected system.&nbsp; If successfully exploited, this vulnerability would allow a remote attacker to compromise the affected system and change&nbsp;user security settings in a virtual instance on the ACE.</SPAN></SPAN><BR></SPAN><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400">At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<BR></SPAN><BR></SPAN>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<B>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B> - <P>Configure a unique management IP address for each context on the Cisco ACE.&nbsp; A configuration reference is available at: <A href="https://sso.cisco.com/autho/forms/CDClogin.html">https://sso.cisco.com/autho/forms/CDClogin.html</A>&nbsp; (Login required)</P>

Vulnerability Discussion:<P></FONT><SPAN class=style4><SPAN class=style4>IBM has addressed multiple vulnerabilities in IBM DB2. <SPAN class=style2>IBM DB2 is a relational database management system&nbsp;capable of running on various platforms to include:&nbsp; AIX, HP-UX, Linux, Solaris and Windows. </SPAN>To exploit these vulnerabilities, an attacker would send&nbsp;malicious data to an affected system.&nbsp; If successfully exploited, these vulnerabilities would allow an attacker to disclose sensitive information, gain elevated privileges, bypass security restrictions, or deny service to legitimate users.</P><P>At this time, there are known exploits associated with&nbsp;at least one&nbsp;of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.</SPAN><BR>&nbsp;</SPAN></P></SPAN>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<P><B>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B></P> - <P>To exploit the vulnerability, the user would need to be able to connect to the database and execute an SQL statement. The exposure can be reduced by revoking CONNECT privilege from PUBLIC. Use the following command to revoke CONNECT privilege from PUBLIC:<BR><BR>REVOKE CONNECT ON DATABASE FROM PUBLIC<BR><BR>To obtain more information on the REVOKE database authority command, see the following:<BR><BR>DB2 V9.8:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r8/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r8/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR>DB2 V9.7:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR>DB2 V9.5:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR><BR></P>

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

DB2 V9.8 Fix Pack 5 DB2 V9.7 Fix Pack 6

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:<P><FONT size=3>Symantec has released a security advisory addressing multiple vulnerabilities in&nbsp;Symantec’s Message Filter management interface, the Brightmail Control Center.&nbsp; Symantec Message Filter&nbsp;is a security application deployed at the email gateway to help defend against spam, phishing, viruses and unwanted email.&nbsp; To exploit these vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs).&nbsp; Successful exploitation would result in the complete compromise of affected systems.</FONT></P><P>At this time, there are known exploits associated with at least one of these vulnerabilities.&nbsp; USCYBERCOM is not aware of any DoD related incidents.</P><P>&nbsp;</P>

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Symantec has released a security advisory addressing a vulnerability affecting Symantec Backup Exec. Symantec Backup Exec provides disk backup, tape backup and recovery support for Windows-based environments. To exploit this vulnerability, an attacker would place specifically-crafted files into a susceptible directory of the Granular Restore Library and entice a user to load a specifically formatted file from an alternate file location or network share. If successfully exploited, this vulnerability would allow an attacker to execute unauthorized arbitrary code with user permissions and compromise the system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>As a part of normal best practices, Symantec strongly recommends:<br>

<ul><li>Restrict access to administration or management systems to privileged users. </li><li>Restrict remote access, if required, to trusted/authorized systems only. </li><li>Run under the principle of least privilege where possible to limit the impact of exploit by threats. </li><li>Keep all operating systems and applications updated with the latest vendor patches. </li><li>Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. </li><li>Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities </li><br>

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Backup Exec System Recovery 2010 SP5

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Symantec has released a security advisory addressing multiple vulnerabilities in Symantec Web Gateway. Symantec Web Gateway is an antivirus and web content filtering suite. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures (TTPs). If successfully exploited, the attacker would gain the ability to remotely execute arbitrary code, bypass authentication services, change user passwords, execute arbitrary SQL commands, or gain access to the system from external connections and completely compromise the affected system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Symantec Security Response has released IPS signatures for web attacks against Symantec Web Gateway to help detect and block remote exploit attempts. Signatures are available through normal Symantec security updates.<br><br>

<br>As a part of normal best practices, Symantec strongly recommends:<br>

<ul><li>Restrict access to administration or management systems to privileged users. </li><li>Disable remote access if not required or restrict it to trusted/authorized systems only. </li><li>Where possible, limit exposure of application and web interfaces to trusted/internal networks only. </li><li>Keep all operating systems and applications updated with the latest vendor patches.</li><UL TYPE=*><LI>The Symantec Web Gateway software and any applications that are installed on the Symantec Web Gateway can ONLY be updated with authorized and tested versions distributed by Symantec</UL><li>Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. </li><li>Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities</li><br>

Vulnerability Discussion:Hewlett Packard has addressed multiple vulnerabilities affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit these vulnerabilities, a remote attacker would create a malicious URI and send an email to potential victims. If successfully exploited, these vulnerabilities would allow a remote attacker to perform a cross-site scripting attack and compromise the system. <br><br>At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Hewlett Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - None

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Symantec has released a security advisory addressing multiple vulnerabilities in Symantec’s Messaging Gateway management console. Symantec Messaging Gateway is an appliance used to filter and scan content. To exploit these vulnerabilities, an attacker would interact with the affected application or entice user to access a malicious web link. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions, perform cross-site scripting attacks, and gain access to sensitive information. <br><br>

At this time, there are known exploits associated with these vulnerabilities. USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:McAfee has released a security advisory addressing a remote code execution vulnerability in Smartfilter Administration. McAfee Smartfilter Administration is a web filtering application. To exploit this vulnerability, a remote attacker would send a malicious .war file without authentication. If successfully exploited, the attacker would gain access to execute arbitrary code and compromise the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>McAfee has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

SmartFilter Administration version 4.2.1 and earlier, including the Bess Edition

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

SmartFilter Administration 4.2.1.01 or later of either SmartFilter Administration OR SmartFilter Administration, Bess Edition

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Websense has released details of a remote code execution vulnerability in Websense Triton. Websense Triton is a security management solution. To exploit this vulnerability, a remote attacker would send a malicious command to a vulnerable device. If successfully exploited, the attacker would be able to execute arbitrary commands with SYSTEM-level privileges resulting in the complete compromise of the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Websense has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Websense Hotfix 24

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Update Manager 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

vCenter Update Manager 4.1 Update 3

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Server 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

vCenter Server 4.1 Update 3

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

Vulnerability Discussion:Internet Systems Consortium (ISC) has released a knowledge base report addressed a vulnerability affecting DHCP. ISC DHCP is open source software that implements the Dynamic Host Configuration Protocols for connection to a local network. To exploit this vulnerability, an remote attacker would send malicious packets to an affected DHCP server. If successfully exploited, this vulnerability would allow an attacker to cause a denial-of-service condition. <br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>ISC has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>ISC recommends setting a value for the default-lease-time option in the configuration file, and not reducing it once set.

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

ISC DHCP version 4.1-ESV-R7 or laterISC DHCP version 4.2.4-P2 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
_____________________________________________________________

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:IBM has released a security bulletin addressing a vulnerability in Rational Business Developer. IBM Rational Business Developer allows developers to create web services. To exploit this vulnerability, an attacker would interact with an affected system in a manner to expose this security vulnerability. If successfully exploited, the remote attacker would gain unauthorized access to sensitive information and compromise the affected system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Do not deploy any web services until you upgrade to V8.0.1.4 or later.<br>

Vulnerability Discussion:Cisco has released a security advisory addressing a vulnerability in Cisco Unified Communications Manager (CUCM). CUCM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. To exploit this vulnerability, an attacker would send malicious SIP messages to an affected device. If successfully exploited, the attacker would cause a a critical service to fail, which will interrupt voice services and lead to a denial-of-service.<br><br>

At this time, there are no known exploits associated with these vulnerability; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>A workaround exists for customers who do not require SIP in their environment. Cisco Unified Communication Manager versions 6.1(4), 7.1(2), and 8.0(1) introduced the ability to disable SIP processing. SIP processing is enabled by default. Use the following instructions to disable SIP processing:<br><br>

<b>Note:</b> For a SIP processing change to take effect, the Cisco CallManager Service must be restarted. For information on how to restart the service, see the "Restarting the Cisco CallManager Service" section of the "Cisco Unified Communications Manager Administration Guide" at <a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124">http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124</a>.<br><br>

Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager and Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability" at the following location: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=26765">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=26765</a>.<br><br>

Vulnerability Discussion:Adobe has released a series of updates in preparation for the revocation of a compromised code signing certificate. The updates apply to various Adobe products and each will require different actions to ensure the affected software is updated with new digital certificates. Adobe is aware of at least two malicious utilities that were signed using the Adobe code signing certificate. As a result, Adobe is taking these actions to maintain trust in genuine Adobe software.<br><br>

At this time, Adobe is aware of malicious utilities signed by compromised code signing certificates. USCYBERCOM is unaware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b> Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Refer to <a href="http://helpx.adobe.com/x-productkb/global/certificate-updates.html"> Adobe Security Cerfiticate Updates</a> for any additional steps specific to necessary software platform.<br><br><b>Note:</b> Anitvirus vendors are working to ensure updated signatures can detect any malicious software signed with the compromised Adobe certificates. To ensure your network is protected, update your enterprise AV with the latest signatures as soon as possible.<br>

Vulnerability Discussion:Adobe has released a series of updates in preparation for the revocation of a compromised code signing certificate. The updates apply to various Adobe Enterprise Products and each will require different actions to ensure the affected software is updated with new digital certificates. Adobe is aware of at least two malicious utilities that were signed using the Adobe code signing certificate. As a result, Adobe is taking these actions to maintain trust in genuine Adobe software.<br><br>At this time, Adobe is aware of malicious utilities signed by the compromised code signing certificate; USCYBERCOM is unaware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Reference the <a href="http://helpx.adobe.com/x-productkb/global/guidance-administrators-certificate-revocation.html">Adobe Guidance for IT Administrators</a> guide for any additional steps to be taken specific to software platforms.<br><br><br><b>Note:</b> Anitvirus vendors are working to ensure updated signatures can detect any malicious software signed with the compromised Adobe certificates. To ensure your network is protected, update your enterprise AV with the latest signatures as soon as possible.<br>

Vulnerability Discussion:Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would leverage various Tactics, Techniques, and Procedures (TTP). If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems. <br><br>At this time, there are known exploits associated with Adobe ColdFusion vulnerabilities; USCYBERCOM is aware of DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Refer to individual Adobe Security Bulletins and Advisories to determine specific mitgation strategies associated with identified vulnerabilities.<br>

Vulnerability Discussion:Hewlett Packard has addressed an information disclosure vulnerability affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit this vulnerability, a remote attacker would create a malicious URI and send an email to potential victims. If successfully exploited, this vulnerability would allow a remote attacker to gain access to sensitive information and compromise the system. <br><br>

At this time, there are no known exploits with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Hewlett Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Cisco has released a security advisory addressing multiple vulnerabilities in WebEx WRF Player. The Cisco WebEx WRF Player is an application used to play back WRF WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. To exploit these vulnerabilities, an attacker would craft malicious recording (WRF) files and send them directly to users via email or by directing a user to a malicious web page. If successfully exploited, the attacker would cause the Cisco WebEx WRF Player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the Cisco WebEx WRF Player application.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Apache Software Foundation has addressed multiple vulnerabilities affecting various versions of Apache Tomcat. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. To exploit these vulnerabilities, a remote attacker would create and send a malicious request to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions or cause a denial of service condition. <br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Apache has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Cisco has released a security advisory addressing a vulnerability in Prime Data Center Network Manager (DCNM). Cisco Prime Data Center Network Manager, previously known as Cisco Data Center Network Manager, is a network management application that combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot health and performance across different families of Cisco products that run Cisco NX-OS Software. To exploit this vulnerability, an attacker would send arbitrary commands via RMI services to a target system. If successfully exploited, the attacker would gain the ability to execute arbitrary commands on the affected system.<br><br>

At this time, there is a known exploit associated with the JBoss configuration which causes this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Because RMI transactions start with a connection to the RMI registry port, which by default is TCP port 1099 or 9099 depending on the Cisco Prime DCNM version, allowing only legitimate devices to connect to the RMI registry port can mitigate this vulnerability.<br><br>

Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability", which is available at the following link: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27268">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27268</a>.<br>

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities in VMware Player. To exploit these vulnerabilities, an attacker would create a malicious library file in a working directory and entice a user to access the file with an affected application. If successfully exploited, these vulnerabilities would allow an attacker to bypass security requirements and obtain access to sensitive information or execute arbitrary code and compromise the affected system. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - None

Vulnerability Discussion:VMware has released a security advisory addressing multiple vulnerabilities in Workstation. VMware Workstation is a virtual machine software suite, which allows users to set up multiple virtual machines (VMs) and use one or more of these virtual machines simultaneously with the hosting operating system . To exploit these vulnerabilities, an attacker would create a malicious data and sends a malicious email to a user enticing them to open the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or gain elevated privileges and compromise the affected system. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Symantec has released a security advisory addressing a vulnerability in Symantec Scan Engine (SSE). To exploit this vulnerability, an unauthorized attacker would create a malicious file containing machine code, replacement memory addresses, and/or NOP instructions, distribute it via email and entice a user to open it. If successfully exploited, this vulnerability would allow an unauthorized remote attacker to execute arbitrary code in the context of the application or cause a denial-of-service condition.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Symantec has released a security advisory addressing a vulnerability in Endpoint Protection products. To exploit this vulnerability, an unauthorized attacker would create a malicious file containing machine code, replacement memory addresses, and/or NOP instructions, distribute it via email and entice a user to open it. If successfully exploited, this vulnerability would allow an unauthorized remote attacker to execute arbitrary code in the context of the application or cause a denial-of-service condition.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br> Users should refer to the "Mitigations" section of the <a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00">Symantec Security Advisory (SYM12-017)</a>.<br>

Vulnerability Discussion:Splunk has released a security advisory addressing multiple vulnerabilities in various versions of Splunk. Splunk is enterprise software used to monitor, report and analyze machine data produced by applications, systems and infrastructure devices. To exploit these vulnerabilities, an attacker would craft a URI link and entice a user to access the malicious link sent via email or other form of distribution. If successfully exploited, these vulnerabilities would allow an attacker to execute a cross-site scripting attack and steal cookie-based authentication credentials or cause a denial-of-service on the affected system.<br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Splunk has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:IBM has addressed multiple vulnerabilities in IBM DB2. IBM DB2 is a relational database management system capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. To exploit these vulnerabilities, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or gain access to sensitive information.<br><br>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br><u>CVE-2012-4826 Mitigation:</u><br>To prevent existing debuggable SQL/PSM stored procedures from being exploited, you need to search for debuggable SQL/PSM SP, then drop and recreate them without debug mode enabled. You can search for debuggable SQL/PSM SP with the following SELECT statement:<br><br>

Vulnerability Discussion:Symantec has released a security advisory addressing multiple vulnerabilities in the Autonomy KeyView module affecting Symantec products. Autonomy KeyView is a commercial Software Development Kit (SDK) that provides file format parsing libraries. To exploit these vulnerabilities,an attacker would craft and send a malicious file via email and entice a user to open the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain elevated privileges, or cause a denial-of-service condition resulting in the compromise the affected system. <br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>System administrators should refer to the "Workaround/Mitigations" portion of the <a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121120_00">Symantec Security Advisory</a> for specific workarounds.<br>

Vulnerability Discussion:McAfee has released a security advisory addressing multiple vulnerabilities in Email Gateway. McAfee Email Gateway consolidates inbound threat protection, outbound data loss prevention, encryption, advanced compliance, and administration into a single appliance. To exploit these vulnerabilities, an attacker creates and sends a malicious email with attachments to a user and convinces them to interact with the attachments. If successfully exploited, the attacker would gain the ability to cause a denial of service condition or perform cross-site scripting attacks on the affected system.<br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>McAfee has tested temporary mitigating strategies and listed them in the Security Bulletin. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Vulnerability Discussion:Adobe has released a security bulletin addressing a vulnerability in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit this vulnerability, an attacker would interact with an affected system in a malicious manner. If successfully exploited, this vulnerability would allow an attacker to bypass security restrictions in a shared hosting environment. <br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Vulnerability Discussion:IBM has released a security bulletin addressing a vulnerability in IBM Informix Dynamic Server. IBM Informix Dynamic Server is a relational database management system. To exploit this vulnerability, an unauthenticated attacker would connect to a database server and execute unspecified SQL statements. If successfully exploited, this vulnerability would allow an attacker to cause a buffer overflow that crashes the Informix database server or allows arbitrary code to be executed within the Informix database server process.<br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Hewlett Packard has addressed vulnerability affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit this vulnerability, a remote attacker would gain access to a target system. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code and compromise the system. <br><br>At this time, there are no known exploits with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>HP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Enterprise Manager Grid Control. This Critical Patch Update contains 13 new security fixes for the Oracle Enterprise Manager Grid Control. All vulnerabilities may be remotely exploitable without authentication. If successfully exploited, the most serious of these vulnerabilities would allow a remote attacker to compromise a vulnerable Oracle Enterprise Manager. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle E-Business Suite This Critical Patch Update contains nine (9) new security fixes for the Oracle E-Business Suite. Seven (7) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<br>

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Fusion Middleware. This Critical Patch Update contains 7 new security fixes for Oracle Fusion Middleware. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <BR><BR>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<BR>

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing 6 vulnerabilities in Oracle Database Server. The Database Server vulnerability may not be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Additionally, this Critical Patch Update contains 5 new security fixes for the Oracle Database Mobile/Lite Server vulnerabilities, which may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <BR><BR>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Sun Products Suite. This Critical Patch Update contains 8 new security fixes for the Oracle Sun Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Additionally, this Critical Patch Update also contains 1 new security fixes for Oracle Virtualization. The vulnerability is not remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle MySQL. This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would send a malicious request to a computer running a vulnerable version of ColdFusion, allowing the attacker to bypass the security authentication controls on the target system. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems. <br><br>At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Cisco has released a security advisory addressing a remote code execution vulnerability in the Cisco Prime LAN Management Solution (LMS) Virtual Appliance. The Cisco Prime LMS is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. To exploit this vulnerability, an attacker would connect to an affected system and send a series of arbitrary commands. Successful exploitation of this vulnerability would allow an attacker to execute commands with the privilege of the root user resulting in the compromise of affected systems. <br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>The workaround for this vulnerability requires the administrator to edit the securetty file stored in the /etc/ directory on the affected system and remove the rsh service command line.<br><br>

Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27920">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27920</a>

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities in JBoss Enterprise Portal Platform. To exploit these vulnerabilities, an attacker would convince a user of an affected system to access a malicious URL. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary web script execution and compromise the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Juniper has released a PSN Bulletin addressing multiple vulnerabilities in the Steel-Belted Radius server. Steel-Belted Radius is a centralized identity management and and network access security appliance. To exploit these vulnerabilities, an attacker would locate a vulnerable server and attempt to interrupt the connection handshake process, inserting malformed packets. If successfully exploited, these vulnerabilities would result in an attacker to obtain sensitive information or cause a denial of service conditions.<br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Juniper has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Red Hat has addressed multiple vulnerabilities in various JBoss products. To exploit these vulnerabilities, an attacker would utilize various tactics, techniques, and procedures (TTP) to compromise an affected system. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions and compromise the affected system. <BR><BR>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<BR>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:IBM has addressed multiple vulnerabilities affecting IBM WebSphere Application Server. The IBM WebSphere Application Server is a web application server for various operating systems. To exploit these vulnerabilities, a remote attacker would send malicious requests to an affected system or entice a user to access a malicious link sent via email. If successfully exploited, these vulnerabilities would allow an attacker to gain access to sensitive information, inject malicious URL script into an affected web browser within the context of the hosting web site, execute arbitrary code within the context of the application, bypass security restrictions, or cause a denial-of-service condition. <br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - None<br>

Vulnerability Discussion:IBM has reported multiple vulnerabilities in IBM Tivoli Storage Manager. IBM Tivoli Storage Manager is a centralized, policy-based, enterprise class, data backup and recovery software suite capable of running on various platforms to include: AIX, HP-UX, Linux, Macintosh, NetWare, OS/400, z/OS, Solaris and Windows. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures. If successfully exploited, these vulnerabilities would allow an attacker to deny service to legitimate users, gain unauthorized access and execute arbitrary code resulting in the compromise of affected systems <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br><u>Workarounds:</u><br> If using the traditional scheduler, set the SCHEDMODE option value to POLLING, which is the default value, in the client options file or on the command line <br><br>Configure the scheduler to be managed by Client Acceptor Daemon (CAD), by specifying 'MANAGEDSERVICES SCHEDULE' or 'MANAGEDSERVICES SCHEDULE WEBCLIENT' in the client options file

Vulnerability Discussion:Samba has addressed multiple vulnerabilities affecting various versions of Samba in the Samba Web Administration Tool (SWAT). Samba is an open source suite of programs that provides Windows interoperability for Unix and Linux platforms. To exploit these vulnerabilities, a remote attacker would entice a user to access a malicious URL or web page. If successfully exploited, these vulnerabilities would allow a remote attacker to gain unauthorized access and compromise the affected system.<br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Samba has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br><u>Workaround:</u><br><br>Ensure SWAT is turned off and configure Samba using an alternative methodto edit the smb.conf file.

Vulnerability Discussion:Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe Reader and Adobe Acrobat. Adobe Acrobat is a document exchange program which allows data files created on one software platform (Windows, Macintosh, UNIX, etc.) to be displayed and printed on another without loss of text formatting. Adobe Reader allows users to read and print PDF files in the browser window. To exploit these vulnerabilities, an attacker would entice a user to access a malicious PDF file hosted on a web page or sent via email. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code and compromise the affected system. <br><br>At this time, these vulnerabilities are being exploited in the wild; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<br>

Vulnerability Discussion:Multiple vulnerabilities have been identified affecting various versions of the HP ArcSight Connector Appliance & HP ArcSight Logger. ArcSight Connector Appliances facilitate audit-quality log collection from all event-generating sources across the enterprise. ArcSight Logger is a log storage and search solution. To exploit these vulnerabilities, an attacker would leverage various tactics, techniques and procedures (TTP). If successfully exploited, these vulnerabilities would result in the compromise of affected devices.<br><br>At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>HP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Vulnerability Discussion:The Apache Software Foundation has addressed multiple vulnerabilities in Apache HTTP Server. Apache HTTP Server is an open source, commercial-grade web server application for various operating systems such as UNIX, Linux, and Microsoft windows. To exploit these vulnerabilities, a remote attacker would entice a user to access to a malicious link sent via email. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the affected browser and obtain access to sensitive information resulting in the compromise the affected system. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Apache Software Foundation has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:CKEditor has addressed a vulnerability in CKeditor. CKEditor (formerly FCKeditor) is an HTML text editor used in web pages. To exploit this vulnerability, a remote attacker would entice a user to follow a malicious URI sent via email. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code and compromise the affected system.<br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>CKEditor has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Multiple vulnerabilities have been reported in various versions of Wireshark. Wireshark is a security enhancement software tool used to analyze and troubleshoot network traffic. To exploit these vulnerabilities, a remote attacker would use various tactics, techniques, and procedures (TTP). If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition. <br><br>At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Wireshark has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Oracle has released out of cycle updates to address multiple vulnerabilities in Oracle Java SE. This Critical Patch Update contains 2 new security fixes for Oracle Java SE. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

<br><br>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Cisco has released a security advisory addressing multiple vulnerabilities in Cisco Unified Communications Manager (CUCM). CUCM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. To exploit these vulnerabilities, an attacker would send malformed packets on unused UDP ports to an affected device. If successfully exploited, the attacker would cause a a critical service to fail, which will interrupt voice services and lead to a denial-of-service.<br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Filtering traffic on TCP port 9004 from untrusted sources can provide a workaround for the LBM vulnerability.<br><br>Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager and Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability" at the following location: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28034">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28034</a>.

Vulnerability Discussion:Hewlett-Packard has released a security bulletin addressing a vulnerability affecting various HP LaserJet printers. To exploit this vulnerability, an attacker would remotely access an affected system. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access to sensitive information.<br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Hewlett-Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Stunnel has released an advisory to address a vulnerability in the Stunnel application. Stunnel is an application used to provide a universal TLS/SSL tunneling service. Stunnel uses OpenSSL libraries for cryptography. To exploit this vulnerability, an attacker would send a malicious request to the affected system. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise the affected system. <br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Stunnel has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Disable the NTLM authentication.

Vulnerability Discussion:PHP has released an advisory to address multiple vulnerabilities in PHP. PHP is an HTML-embedded scripting language that gives web developers the ability to write dynamically generated pages. To exploit these vulnerabilities, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code, bypass security restrictions, or cause a denial of service condition. <br> <br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>PHP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Vulnerability Discussion:Cisco has addressed a vulnerability affecting Cisco Unified Presence Server (UPS). Cisco Unified Presence provide an open and extensible platform that facilitates the secure exchange of availability and instant messaging (IM) information. To exploit this vulnerability, an attacker would send malicious packets to a Session Initiation Protocol (SIP) port of an affected server. If successfully exploited, this vulnerability would allow an unauthenticated, remote attacker to cause a denial-of-service condition on an affected device<br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Filtering traffic from untrusted sources on TCP port 5060 can provide a workaround for this vulnerability.

Vulnerability Discussion:Google has released a security bulletin addressing multiple vulnerabilities in the Chrome browser. Google Chrome is a multi-platform web browser. To exploit these vulnerabilities, an attacker would use various tactics, techniques, and procedures (TTPs). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the web browser, bypass security restrictions, and cause a denial-of-service condition on the target system. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Google has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:Massachusetts Institute of Technology (MIT) has addressed multiple vulnerabilities affecting MIT Kerberos 5 (krb5). Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. To exploit these vulnerabilities, an attacker would send a malicious request to an affected system. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to cause a denial of service condition on affected systems. <br><br>At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Vulnerability Discussion:The Mozilla Foundation has released multiple security advisories to address multiple vulnerabilities in various Mozilla products. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures (TTP). If successfully exploited, these vulnerabilities allow an attacker to execute arbitrary code, gain escalated privileges, bypass security restrictions, conduct cross-site scripting attacks and cause denial of service conditions resulting in the compromise of affected systems. <br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>The Mozilla Foundation has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Asterisk Project has released multiple security advisories addressing multiple vulnerabilities in multiple Asterisk products. Asterisk is an open source Private Branch Exchange (PBX), telephony engine and telephony applications toolkit. To exploit these vulnerabilities, an attacker would send a malicious request to an affected application. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code within the context of the affected application, gain access to sensitve information, and causing a denial of service condition.<br><br>At this time, there are known exploits associated with one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Asterisk Project has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Internet System Consortium (ISC) has reported a vulnerability in Berkley Internet Name Domain (BIND). ISC BIND is a widely used implementation of DNS available for multiple operating system platforms. To exploit this vulnerability, the remote attacker sends a malicious query to an affected server. If successfully exploited, this vulnerability would cause the affected BIND server to exhaust memory resources resulting in a denial of service condition. <br><br>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Internet System Consortium (ISC) has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support.<br><br>Compilation without regular expression support:<br><br>BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable inclusion of regular expression support:<br><br>After configuring BIND features as desired using the configure script in the top level source directory, manually edit the "config.h" header file that was produced by the configure script. <br>Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with "#undef HAVE_REGEX_H". <br>Run "make clean" to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally.

Vulnerability Discussion:OpenSSL has addressed multiple vulnerabilities affecting various versions of OpenSSL. OpenSSL is an open-source implementation of SSL and TLS protocols used to encrypt transmission of data between web browsers and web servers. OpenSSL is designed to enable secure communications over an insecure network such as the Internet. To exploit these vulnerabilities, an attacker would send a malicious packet to the affected application. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition on the affected system.<br><br>

At this time, there are exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:The following temporary mitigation strategies can be used to mtigiate the vulnerabilities addressed in this directive. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br><u>CVE-2013-0169:</u><br>this vulnerability is only partially mitigated when OpenSSL is used in conjuction with the OpenSSL FIPS Object Module and the FIPS mode of operation is enabled.<br><br>

<u>CVE-2012-2686:</u><br>Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is affected. Platforms which do not support AES-NI or versions of OpenSSL which do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are not affected.<br>

Vulnerability Discussion:Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would send a malicious request to a computer running a vulnerable version of ColdFusion, allowing the attacker to bypass the security authentication controls on the target system. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems. <br><br>At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe Flash Player and AIR. Adobe Flash Player is a multimedia application for Microsoft Windows, Macintosh, Linux and Solaris operating systems. To exploit these vulnerabilities, a remote attacker would entice a user to access a malicious web site or open a file with malicious content. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Vulnerability Discussion:PostgreSQL has addressed multiple vulnerabilities affecting various version of the PostgreSQL object-relational database system. PostgreSQL is an open source database system. To exploit these vulnerabilities, an attacker would send a malicious request to an affected system or create a symbolic link in the temporary file directory. If successfully exploited, these vulnerabilities would allow an attacker to gain access to sensitive information, bypass security restrictions, execute arbitrary code in the context of the affected system or cause a denial-of-service condition.<br><br>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations:IAVA Set Mitigation Control

Mitigation Control:<b>PostgreSQL has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None